Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 19, 2023, 7:47 a.m.	Oct. 19, 2023, 7:58 a.m.

Size	1.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6e781cf49af81b961d0ab465210a35f8`
SHA256	`b7980abb0fbb1e27c9dfd24f2d36891986e3325b2596fff09baa3904830eac0c`
CRC32	`722E8022`
ssdeep	`24576:nlP+gGRPlVlmClblzNj9ZmT5/Za866njeXTJbrn0fatsse:lP+bxlVzlZNjvG/IjlrsQxe`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

Ads.exe "C:\Users\test22\AppData\Local\Temp\Ads.exe"
2556
- InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2644
  - BbewQJjIF4TpHgbafcqE8yXQ.exe "C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe"
    2856
    - BbewQJjIF4TpHgbafcqE8yXQ.exe "C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe"
      2084
  - YXnoCa8ogkWmtQBVkyIWVjTu.exe "C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe"
    2904
  - yA5UHXe5SsWoZZSRhhzJSkKQ.exe "C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe"
    2972
  - ofG4l3a49c8jVWMpxDLXRIv2.exe "C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe"
    2964
  - JcZsP3apGXfj5EcWuRtH9Iph.exe "C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe"
    1120
  - Sw3y8W0DslF2ivCXrkg0wwdg.exe "C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe" --silent --allusers=0
    2064

Name	Response	Post-Analysis Lookup
yip.su	A 148.251.234.93	148.251.234.93
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170
galandskiyher5.com	A 194.169.175.127	194.169.175.127
gobo02fc.top	A 85.143.220.63	85.143.220.63
flyawayaero.net	A 172.67.216.81 A 104.21.93.225	172.67.216.81
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.209.95.51
laubenstein.space	A 45.130.41.101	45.130.41.101
diplodoka.net	A 104.21.78.56 A 172.67.217.52	104.21.78.56
net.geo.opera.com	A 107.167.110.211 A 107.167.110.216 CNAME lati.lb.opera.technology CNAME us.net.opera.com	107.167.110.211
lycheepanel.info	A 104.21.32.208 A 172.67.187.122	104.21.32.208
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130
darianentertainment.com	A 65.109.26.240	65.109.26.240
grabyourpizza.com	A 104.21.90.82 A 172.67.197.174	172.67.197.174
potatogoose.com	A 172.67.180.173 A 104.21.35.235	172.67.180.173

IP Address	Status	Action
162.159.135.233	Active	Moloch
104.20.67.143	Active	Moloch
104.21.32.208	Active	Moloch
107.167.110.216	Active	Moloch
131.153.76.130	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
172.67.180.173	Active	Moloch
172.67.197.174	Active	Moloch
172.67.216.81	Active	Moloch
172.67.217.52	Active	Moloch
194.169.175.127	Active	Moloch
23.67.53.27	Active	Moloch
45.130.41.101	Active	Moloch
65.109.26.240	Active	Moloch
85.143.220.63	Active	Moloch
85.217.144.143	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 104.20.67.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 172.67.197.174:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 172.67.216.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 85.217.144.143:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 85.217.144.143:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49173 -> 45.130.41.101:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 65.109.26.240:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 172.67.217.52:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 172.67.180.173:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 107.167.110.216:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 104.21.32.208:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 194.169.175.127:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.127:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 85.143.220.63:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 85.143.220.63:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 85.143.220.63:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 65.109.26.240:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49172 -> 65.109.26.240:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49172 -> 65.109.26.240:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.143.220.63:80 -> 192.168.56.101:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.143.220.63:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.143.220.63:80 -> 192.168.56.101:49170	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.101:58120 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 65.109.26.240:443 -> 192.168.56.101:49172	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 65.109.26.240:443 -> 192.168.56.101:49172	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49164 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49167 172.67.197.174:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.grabyourpizza.com	19:34:3f:f1:b2:75:20:7f:8a:58:d1:fd:26:b2:74:e2:ea:f8:76:e6
TLS 1.2 192.168.56.101:49166 172.67.216.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=flyawayaero.net	34:8b:a3:9d:94:c4:8d:02:5c:e1:f1:43:da:57:49:64:a9:1c:b6:fe
TLS 1.2 192.168.56.101:49173 45.130.41.101:443	C=US, O=Let's Encrypt, CN=R3	CN=laubenstein.space	d4:04:82:56:eb:8d:bb:fd:72:7a:36:fd:90:c1:07:aa:45:ac:92:27
TLS 1.2 192.168.56.101:49175 172.67.217.52:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=diplodoka.net	08:f2:0c:9e:cc:84:cd:91:24:54:d5:fe:5e:3f:a9:46:68:a2:58:33
TLS 1.2 192.168.56.101:49176 172.67.180.173:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=potatogoose.com	0f:a9:ea:9d:3e:af:d2:24:68:a0:8f:b7:58:00:c9:0b:f0:7f:31:37
TLS 1.2 192.168.56.101:49168 104.21.32.208:443	C=US, O=Let's Encrypt, CN=E1	CN=lycheepanel.info	9f:29:fd:d3:0f:46:b4:fc:1f:d0:06:c7:4e:4d:21:d0:21:08:ea:43
TLS 1.2 192.168.56.101:49177 107.167.110.216:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com	8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLS 1.3 192.168.56.101:49192 131.153.76.130:80	None	None	None

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2023, 7:47 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.217.144.143/files/My2.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://galandskiyher5.com/downloads/toolspub1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://gobo02fc.top/build.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/xYhKBupz
suspicious_features	GET method with no useragent header	suspicious_request	GET https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767

Performs some HTTP requests (11 events)

request	GET http://85.217.144.143/files/My2.exe
request	GET http://galandskiyher5.com/downloads/toolspub1.exe
request	GET http://gobo02fc.top/build.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request	GET https://pastebin.com/raw/xYhKBupz
request	GET https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
request	GET https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

gobo02fc.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bce000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2856 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 192512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fe000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2904 region_size: 331776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2972 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2964 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (20 events)

file	C:\Users\test22\AppData\Local\MgMS5OiFfswJFaqP1XJOzDbR.exe
file	C:\Users\test22\AppData\Local\xBjmmfDRJg2QRIKnPa7ZT3BH.exe
file	C:\Users\test22\AppData\Local\Y72Obyt28sCjXyOLc6BYYcoK.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDKrFetzE30B1WCAgFcMXvEc.bat
file	C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8PHCoENUcAc11lrXF7bGtU9v.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wSFvxIqOzo0PqMDR2GJ84tgr.bat
file	C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2wZUjqKftOgnAMcKsFknTmR8.bat
file	C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe
file	C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe
file	C:\Users\test22\AppData\Local\hDZtpwYDwYmUs886OLJTqdVx.exe
file	C:\Users\test22\AppData\Local\qwJ2mUhoQWAMkbDTaTw6RBQj.exe
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2310190107596562064.dll
file	C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwNnAYrBx2LLdrAT8cxhcInw.bat
file	C:\Users\test22\AppData\Local\d1qS2B0Pfafjv0YWtkURzyvS.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAlRn4wMEOFeAqfvXpZufO0E.bat
file	C:\Users\test22\Pictures\Opera_installer_2310190107596562064.dll
file	C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\qwJ2mUhoQWAMkbDTaTw6RBQj.exe
file	C:\Users\test22\AppData\Local\hDZtpwYDwYmUs886OLJTqdVx.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe parameters: filepath: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe parameters: filepath: C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe parameters: filepath: C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe parameters: filepath: C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe parameters: filepath: C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe parameters: --silent --allusers=0 filepath: C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 19, 2023, 7:47 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00116600', u'virtual_address': u'0x0030f000', u'entropy': 7.9996915385094, u'name': u'UPX1', u'virtual_size': u'0x00117000'}

entropy

7.99969153851

description

A section with a high entropy has been found

entropy

0.999102736653

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (2 events)

host	162.159.135.233
host	85.217.144.143

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000e4	1	0	0
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2084 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0	0

Installs itself for autorun at Windows startup (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wSFvxIqOzo0PqMDR2GJ84tgr.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDKrFetzE30B1WCAgFcMXvEc.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8PHCoENUcAc11lrXF7bGtU9v.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwNnAYrBx2LLdrAT8cxhcInw.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2wZUjqKftOgnAMcKsFknTmR8.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAlRn4wMEOFeAqfvXpZufO0E.bat

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 19, 2023, 7:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 19, 2023, 7:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Drops a binary and executes it (3 events)

file	C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe
file	C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe
file	C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2023, 7:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x0000009c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2856 called NtSetContextThread to modify thread in remote process 2084
NtSetContextThread Oct. 19, 2023, 7:47 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2084	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2644
Process injection	Process 2856 resumed a thread in remote process 2084
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2644	1	0	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2084	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (42 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2648 thread_handle: 0x00000000000000e0 process_identifier: 2644 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000000e4	1	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2644 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000e4	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005a8 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005bc suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005d8 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005f8 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000620 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006c8 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006ec suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000748 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006f0 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000708 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2860 thread_handle: 0x000008a8 process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe track: 1 command_line: "C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe" filepath_r: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000008b0	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000708 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2908 thread_handle: 0x000006dc process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe track: 1 command_line: "C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe" filepath_r: C:\Users\test22\Pictures\YXnoCa8ogkWmtQBVkyIWVjTu.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005f4	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006e8 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006e0 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005ec suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2976 thread_handle: 0x000005d4 process_identifier: 2972 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe track: 1 command_line: "C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe" filepath_r: C:\Users\test22\Pictures\yA5UHXe5SsWoZZSRhhzJSkKQ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005b4	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2968 thread_handle: 0x000005a0 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe track: 1 command_line: "C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe" filepath_r: C:\Users\test22\Pictures\ofG4l3a49c8jVWMpxDLXRIv2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000678	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005e8 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 604 thread_handle: 0x000005cc process_identifier: 1120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe track: 1 command_line: "C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe" filepath_r: C:\Users\test22\Pictures\JcZsP3apGXfj5EcWuRtH9Iph.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000634	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005d8 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2068 thread_handle: 0x000005d0 process_identifier: 2064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe track: 1 command_line: "C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe" --silent --allusers=0 filepath_r: C:\Users\test22\Pictures\Sw3y8W0DslF2ivCXrkg0wwdg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000708	1	1
NtResumeThread Oct. 19, 2023, 7:48 a.m.	thread_handle: 0x0000068c suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2088 thread_handle: 0x00000098 process_identifier: 2084 current_directory: filepath: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe track: 1 command_line: "C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe" filepath_r: C:\Users\test22\Pictures\BbewQJjIF4TpHgbafcqE8yXQ.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection Oct. 19, 2023, 7:47 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2084 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2084 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0
WriteProcessMemory Oct. 19, 2023, 7:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x0000009c	1	1
NtSetContextThread Oct. 19, 2023, 7:47 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2084	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2084	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W64.AIDetectMalware
MicroWorld-eScan	Trojan.GenericKD.69869083
FireEye	Trojan.GenericKD.69869083
Skyhigh	Artemis!Trojan
CrowdStrike	win/malicious_confidence_60% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GPCL
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	Trojan-PSW.Win32.Stealerc.foj
BitDefender	Trojan.GenericKD.69869083
Avast	Win64:PWSX-gen [Trj]
Emsisoft	Trojan.GenericKD.69869083 (B)
F-Secure	Trojan.TR/AD.Nekark.wnzrz
DrWeb	Trojan.DownLoader46.24761
TrendMicro	TROJ_FRS.VSNTJI23
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.Nekark.wnzrz
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Casdet!rfn
Gridinsoft	Trojan.Win64.Glupteba.bot
ZoneAlarm	Trojan-PSW.Win32.Stealerc.foj
GData	Trojan.GenericKD.69869083
McAfee	Artemis!6E781CF49AF8
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_FRS.VSNTJI23
Rising	Trojan.Kryptik!8.8 (TFE:5:75OIvYcHgzD)
Ikarus	Trojan.Win64.Krypt
Fortinet	W64/GenKryptik.GMLD!tr
AVG	Win64:PWSX-gen [Trj]
Cybereason	malicious.00a472
DeepInstinct	MALICIOUS

Ads.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All