Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 22, 2023, 8:44 a.m.	April 22, 2023, 9:02 a.m.

Size	281.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`665d90fc3264e6f0b3a2b2e4fc715caf`
SHA256	`cd96e18da320ba4ac313d3a189776d7defbea7098cf53156b1e4b680eb9e4c68`
CRC32	`06B4B74C`
ssdeep	`6144:Ipb0nofW70cc6rX8aZAG7p4q5LmSVNR/XnzBvqi3TFRL9QolQ:Ipb/fk5iGVbgshDBvqijFvRlQ`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

B.exe "C:\Users\test22\AppData\Local\Temp\B.exe"
2556
- smss.exe "C:\Program Files\Windows NT\smss.exe"
  2672
  - win.exe "C:\Program Files\Windows NT\win.exe"
    2812
- regedit.exe regedit.exe -s C:\Windows\ServerName.reg
  2732

Name	Response	Post-Analysis Lookup
www.jz3366.top	A 211.101.237.65	211.101.237.65

IP Address	Status	Action
164.124.101.2	Active	Moloch
211.101.237.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 211.101.237.65:5566	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49161 -> 211.101.237.65:5566	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 211.101.237.65:5566	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 211.101.237.65:5566 -> 192.168.56.101:49161	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49168 -> 211.101.237.65:5566	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 211.101.237.65:5566 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.101.237.65:5566 -> 192.168.56.101:49161	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 211.101.237.65:5566 -> 192.168.56.101:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.101.237.65:5566 -> 192.168.56.101:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 22, 2023, 8:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

The executable uses a known packer (1 event)

packer

NsPack 2.9 -> North Star

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 22, 2023, 8:43 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 22, 2023, 8:43 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Windows\ServerName.reg
file	C:\Program Files\Windows NT\win.exe
file	C:\Windows\srvany.exe
file	C:\Program Files\Windows NT\smss.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA April 22, 2023, 8:44 a.m.	service_start_name: start_type: 3 password: display_name: AdP19brT filepath: C:\Users\test22\AppData\Local\Temp\AdP19brT.sys service_name: AdP19brT filepath_r: C:\Users\test22\AppData\Local\Temp\\AdP19brT.sys desired_access: 16 service_handle: 0x0070a7d0 error_control: 0 service_type: 1 service_manager_handle: 0x0070a8c0	1	7382992	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\7263406\TemporaryFile\TemporaryFile

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: mobsync.exe process_identifier: 2288	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: pw.exe process_identifier: 2332	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: taskhost.exe process_identifier: 2360	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: smss.exe process_identifier: 2672	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: win.exe process_identifier: 2812	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: cmd.exe process_identifier: 3012	1	1
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: conhost.exe process_identifier: 3020	1	1
Process32NextW April 22, 2023, 8:45 a.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 2204	1	1
Process32NextW April 22, 2023, 8:45 a.m.	snapshot_handle: 0x000002fc process_name: WmiPrvSE.exe process_identifier: 2604	1	1

An executable file was downloaded by the processes b.exe, smss.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 22, 2023, 8:44 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $s$nJOnJOnJOíDOEJOX4@O¨JOFOmJO8 YOBJOnKOJO YOyJOX4AO0JO AO>JO @OwJOnJO'JO©LOoJORichnJOPELïe3dà Ð $ä à @å~ á ,p GÐ `à à ¥`àå `à À $ä 21jóâ ã ã $ã 3ã Aã Oã \ã kã ã ã ã ¿ã Ïã ºáã òã Lâ à Yâ ¸à fâ Àà qâ Èà {â Ðà â Øà â àà â èà «â ðà µâ øà Ââ á Ïâ á Úâ á æâ á KERNEL32.DLLRASAPI32.DLLUSER32.DLLGDI32.DLLWINMM.DLLWINSPOOL.DRVADVAPI32.DLLSHELL32.DLLOLE32.DLLOLEAUT32.DLLCOMCTL32.DLLWS2_32.DLLWININET.DLLCOMDLG32.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcessRasHangUpAGetCursorPosGetSystemPaletteEntrieswaveOutUnprepareHeaderClosePrinterRegCreateKeyExAShellExecuteACLSIDFromStringHttpQueryInfoAChooseColorA `6¹pò.Ã~`è]¸+èµ0üÿÿ<tõµXüÿÿ<BÆÕ+ìûÿÿìûÿÿüÿÿµ`üÿÿ`j@hhjÿüÿÿÀjüÿÿè[¹hÙPSè±a6ý½Üûÿÿß?u Ç¹ë¹;Ã;t63{WQRSÿµüÿÿÿµüÿÿÖÏüÿÿ©ÿÐ[ZY_ùtÃëÅhjÿµüÿÿÿüÿÿµüÿÿNV6þùt?G,è<w÷zt8ué_fÁèÁÀÄë _ÄÁÀÄ+ÇÆÇëèÃâÆè:0üÿÿAøò+qtzqµ`üÿÿ6^üøt úyIëþyI3ÀGÀt <ïwØëí$ÁàfÇÀuëÇëä3ÛþøtÀtØfëó3ÛÁéÀtØfëóµìûÿÿµHüÿÿ<u?VVRVjhRÿüÿÿ_^ø½Æ¹ó¤îïVÿvühWÿüÿÿU[ë!3Éùt(CµìûÿÿVQSRVÿ3ÿsCÂPÿüÿÿZ[Y^Ãâá¸øt a¸Âaé øÿµäûÿÿöìûÿÿò>u~u~uëz^ÚSRV½(þÿÿ~ÆWÿxüÿÿ_Z[øtYôûÿÿ>Æ3ÉùuFë³ÇùRSP8ÿu@%ÿÿÿÆQPÿµôûÿÿÿ\|üÿÿYZ[ZøtFüÿvüÃFë´øÃéUìu}ü²¤èmsø3Éèds3Àè[s!°èRÀs÷uAªë×èPIâÅèDë.¬ÑètOÑèë"HÁà¬èè)=}s=søwAAV÷+ðó¤^ëÒuFÒÃ3ÉAèîÿÿÿÉèçÿÿÿròÃ]ÂjÿüÿÿÃ;Qu ÇA8`ÿÃBÀD$8agV <ÐIÿjÖX^èÉsÈ¶ÀÁâÂN\|Auê^SVq3ÛÒWy~,Uìê9Ñîã;þr+ÐË:îÅÀsÁæ5èAçøMuØ]Îb_z^9Ã[gò.ÃW·9¸ÂÁèx<¯Ç~;øs@cF¼Àfë4Ð¿=à+úÁÿøf9~ÿP\Î)èNÈá:qufã¿rÀëB+ÐøÛV® ÞÒ ÐÌÁê¡Â¿Fçþ>@_^ÃÖìQSv}Ú(Ûèù~]ü²U4áÌ>1è?ýÆÌMüuë^ÂBËÓâ_[ É:3v»ø90WÿB9}Ù÷Pü~ VÊxBè ½GÏ Óà EüG;H$\|â6HÉaÛò2èÚì@nÈÓèÏ¨«Æp=¾(\|êV[ jP3Òü(RCÄ7u¸£Ðe°ÁîFàLÃvG7ès ÛØ;ðuûC@ÓëdW¶EèvEYØ3æ¸ÃÊVúñèøAÀ&uW¬jL0aZèÜ1ë;N×ñ2P$WuÊK$D"NµÀëjøB¢¤Ò,Ï\|8ù&TñMÈH3G¸áãHRzQÉÜ×MôèQåÍ¤Öf4KMø ì@ðäÓç6Z 2ÛJOÎ89M`UÀ.ÜsjXé ávuÈÑón¨Ü^@þó«ÉfÂ ÿu@MÈèúüG} p¨]$#3 Ø¼ÁfGÔôªÂ ÂNæUÄdDývÄÜ#G¥±*MÎAÃ!¥G¡Â@ ;ÿÉl}eôë${ u=ïrÊ ¥ôÎ`t ös+`øyUAeþlïØçØÏT)jòC®~i3èbFÁ;Ã¡¯ÇÃd-:Fè/£¦/uEIG%ÑÁ FèuX9îjUµ(ð>ÿÀ+#øD ùôÓrf3ÿJcéJHX°DF1uHìë'+VÈè.Ãðë uvÉäµp;ìm´ÛQæEÝh 2UÕÅê#~H¹àýÏ²#éðÙ[ä¶ÑÚ³,dR2" 7èP²øH´\|}IXØ request_handle: 0x00cc000c	1	1	0
InternetReadFile April 22, 2023, 8:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÔeÉµù6Éµù6Éµù6 º¦6Èµù6²©õ6Êµù6¦ªò6Èµù6J©÷6Íµù6¦ªó6Âµù6¦ªý6Ëµù6Éµù6Èµù6 º¤6Îµù6Éµø6®µù6!ªò6Ãµù6RichÉµù6PEL\|¾aàP R`@Xdx.textLOP `.dataÌ` `@À request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00046281', u'virtual_address': u'0x000d4000', u'entropy': 7.998450988803019, u'name': u'', u'virtual_size': u'0x00047000'}

entropy

7.9984509888

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

win.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 722 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: sm&< process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000174 process_name: sm&v process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: sm&° process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000174 process_name: sm'è process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: sm&Ĥ process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000174 process_name: sm&ţ process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x0000017c process_name: sm'ƛ process_identifier: 2672		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFȮ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJɊ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFɦ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiFʁ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFʡ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJ˂ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJ˼ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiF̘ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJ̴ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiJ͏ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJͯ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFΐ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFϊ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJϦ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFЂ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiFН process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFн process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJў process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJҘ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFҴ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJӐ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiJӫ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJԋ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFԬ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFզ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJւ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiF֞ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiFֹ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFי process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJ׺ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJش process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFِ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJ٬ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiJڇ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJڧ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFۈ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiF܂ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJܞ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFܺ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiFݕ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000378 process_name: wiFݵ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJޖ process_identifier: 2812		0	0
Process32NextW April 22, 2023, 8:44 a.m.	snapshot_handle: 0x00000370 process_name: wiJߐ process_identifier: 2812		0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ServerName\ImagePath

reg_value

C:\Windows\srvany.exe

Network communications indicative of possible code injection originated from the process smss.exe (3 events)

Time & API	Arguments	Status	Return
InternetCrackUrlA April 22, 2023, 8:44 a.m.	url: http://211.101.237.65:5566/server.exe flags: 0	1	1
InternetConnectA April 22, 2023, 8:44 a.m.	username: service: 3 hostname: 211.101.237.65 internet_handle: 0x00cc0004 flags: 0 password: port: 5566	1	13369352
HttpOpenRequestA April 22, 2023, 8:44 a.m.	connect_handle: 0x00cc0008 http_version: HTTP/1.0 flags: 2214592512 http_method: GET referer: path: /server.exe	1	13369356

Stops Windows services (1 event)

service

ServerName (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ServerName\Start)

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Bjlog.lzuS
MicroWorld-eScan	Gen:Variant.Graftor.945714
CAT-QuickHeal	Trojan.Generic.2919
McAfee	Artemis!665D90FC3264
Cylance	unsafe
Zillya	Virus.Hupigon.Win32.5
Sangfor	Trojan.Win32.FlyStudio.Vaou
CrowdStrike	win/malicious_confidence_70% (W)
Alibaba	TrojanDownloader:Win32/FlyStudio.ae13fb70
K7GW	Trojan ( 005257651 )
K7AntiVirus	Trojan ( 005257651 )
Arcabit	Trojan.Graftor.DE6E32
BitDefenderTheta	Gen:NN.ZexaF.36164.rmGdayXyRTi
Cyren	W32/Downloader.AT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Siscos.acer
BitDefender	Gen:Variant.Graftor.945714
NANO-Antivirus	Trojan.Win32.Drop.jvoaam
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Siscos.Mcnw
Emsisoft	Gen:Variant.Graftor.945714 (B)
F-Secure	Heuristic.HEUR/AGEN.1331417
VIPRE	Gen:Variant.Graftor.945714
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.665d90fc3264e6f0
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan/StartPage.nxa
Avira	HEUR/AGEN.1331417
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.FlyStudio.a
Gridinsoft	Pack.Win32.Gen.bot!ep-44128
Xcitium	Backdoor.Win32.Popwin.~IQ@ogvrk
Microsoft	Trojan:Win32/Tiggre!rfn
ViRobot	Trojan.Win.Z.Graftor.288385
ZoneAlarm	Trojan.Win32.Siscos.acer
GData	Gen:Variant.Graftor.945714
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5229540
ALYac	Gen:Variant.Graftor.945714
Malwarebytes	Malware.Heuristic.1003
TrendMicro-HouseCall	TROJ_GEN.R002H0CDJ23
Rising	Trojan.Siscos!8.2A3A (CLOUD)

B.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All