Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 24, 2023, 7:41 a.m.	Oct. 24, 2023, 7:48 a.m.

Size	776.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bd136d61e094dd46fae5f3fda5d18d48`
SHA256	`b868d7a2a78e9436fc3675c1ddbcfa1eda4d73926a856acd36e54f9e5b09fba5`
CRC32	`1549884B`
ssdeep	`12288:VMjfMqgR/mZRM+BJ+Pe9X7/euLQD6uxUMNAdY+HP4l64ZdQVEyl1z6JddtR2k:4gkZR5uaXL4HAdj41ZdAEKd6nl2`
PDB Path	KQLG.pdb
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

snow.exe "C:\Users\test22\AppData\Local\Temp\snow.exe"
2540
- snow.exe "C:\Users\test22\AppData\Local\Temp\snow.exe"
  2888

Name	Response	Post-Analysis Lookup
mymobileorder.com	A 162.0.232.65	162.0.232.65
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	64.185.227.156

IP Address	Status	Action
162.0.232.65	Active	Moloch
164.124.101.2	Active	Moloch
64.185.227.156	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 162.0.232.65:587 -> 192.168.56.101:49167	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 162.0.232.65:587	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.185.227.156:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49166 -> 64.185.227.156:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49166 -> 64.185.227.156:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49167 162.0.232.65:587	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=mymobileorder.com	b6:4e:39:49:5c:2c:78:8c:2a:17:c7:74:24:e3:ee:0c:11:1c:27:a8

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 24, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 24, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:41 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Oct. 24, 2023, 7:42 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

KQLG.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 24, 2023, 7:41 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 24, 2023, 7:42 a.m.	stacktrace: 0x20607c4 0x2060707 0x2060537 0x2060075 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2063a6f registers.esp: 3732072 registers.edi: 3732096 registers.eax: 0 registers.ebp: 3732108 registers.edx: 195 registers.ebx: 3732356 registers.esi: 37293436 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 24, 2023, 7:42 a.m.

stacktrace:

0x20607c4
0x2060707
0x2060537
0x2060075
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2063a6f
registers.esp: 3732072
registers.edi: 3732096
registers.eax: 0
registers.ebp: 3732108
registers.edx: 195
registers.ebx: 3732356
registers.esi: 37293436
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 113 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a701a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a701c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a85efe process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a85ef2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df20 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df28 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df2c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df34 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df38 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df3c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df40 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df48 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df4c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df50 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df58 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a7df5c process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Steals private information from local Internet browsers (11 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 24, 2023, 7:42 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\YseEYgM\YseEYgM.exe filepath: C:\Users\test22\AppData\Roaming\YseEYgM\YseEYgM.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 24, 2023, 7:42 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b3600', u'virtual_address': u'0x00002000', u'entropy': 7.797877652143136, u'name': u'.text', u'virtual_size': u'0x000b351c'}

entropy

7.79787765214

description

A section with a high entropy has been found

entropy

0.924613402062

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 24, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 24, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 24, 2023, 7:42 a.m.	status_code: 0xffffffff process_identifier: 2852 process_handle: 0x000002ac		0	0
NtTerminateProcess Oct. 24, 2023, 7:42 a.m.	status_code: 0xffffffff process_identifier: 2852 process_handle: 0x000002ac	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2852 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8		3221225496	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2888 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0	0

A process attempted to delay the analysis task. (1 event)

description

snow.exe tried to sleep 2728259 seconds, actually delayed analysis time by 2728259 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YseEYgM

reg_value

C:\Users\test22\AppData\Roaming\YseEYgM\YseEYgM.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2540 manipulating memory of non-child process 2852
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2852 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELU2eàÆîå @ @@ åKF H.textôÅ Æ `.rsrcFÈ@@.reloc Î@B base_address: 0x00400000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: P8h ¼\ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamef7a7df1c-0f21-4296-a9af-4a4688e18434.exe(LegalCopyright \|)OriginalFilenamef7a7df1c-0f21-4296-a9af-4a4688e18434.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00440000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: àð5 base_address: 0x00442000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2888 process_handle: 0x000002b4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELU2eàÆîå @ @@ åKF H.textôÅ Æ `.rsrcFÈ@@.reloc Î@B base_address: 0x00400000 process_identifier: 2888 process_handle: 0x000002b4	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 24, 2023, 7:42 a.m.	thread_identifier: 0 callback_function: 0x005d08ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	524653	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2540 called NtSetContextThread to modify thread in remote process 2888
NtSetContextThread Oct. 24, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4449774 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2888	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\YseEYgM\YseEYgM.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2540 resumed a thread in remote process 2888
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2888	1	0	0

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2540	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2540	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Oct. 24, 2023, 7:41 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2856 thread_handle: 0x000002a4 process_identifier: 2852 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\snow.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\snow.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtGetContextThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002a4	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2852 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8		3221225496
CreateProcessInternalW Oct. 24, 2023, 7:42 a.m.	thread_identifier: 2892 thread_handle: 0x000002ac process_identifier: 2888 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\snow.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\snow.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtGetContextThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory Oct. 24, 2023, 7:42 a.m.	process_identifier: 2888 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELU2eàÆîå @ @@ åKF H.textôÅ Æ `.rsrcFÈ@@.reloc Î@B base_address: 0x00400000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: base_address: 0x00402000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: P8h ¼\ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamef7a7df1c-0f21-4296-a9af-4a4688e18434.exe(LegalCopyright \|)OriginalFilenamef7a7df1c-0f21-4296-a9af-4a4688e18434.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00440000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: àð5 base_address: 0x00442000 process_identifier: 2888 process_handle: 0x000002b4	1	1
WriteProcessMemory Oct. 24, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2888 process_handle: 0x000002b4	1	1
NtSetContextThread Oct. 24, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4449774 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x000005a8 suspend_count: 1 process_identifier: 2888	1	0
NtResumeThread Oct. 24, 2023, 7:42 a.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2888	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Heracles.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PackedNET.2481
MicroWorld-eScan	Gen:Variant.MSILHeracles.115356
FireEye	Generic.mg.bd136d61e094dd46
Skyhigh	BehavesLike.Win32.Generic.bc
McAfee	Artemis!BD136D61E094
Malwarebytes	Malware.AI.4043837281
VIPRE	Gen:Variant.MSILHeracles.115356
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.MSILHeracles.D1C29C
BitDefenderTheta	Gen:NN.ZemsilF.36792.Wm0@aujhXHc
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/Kryptik.AJXV
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.MSILHeracles.115356
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Gen:Variant.MSILHeracles.115356 (B)
Sophos	Troj/Krypt-ABH
Ikarus	Win32.Outbreak
Google	Detected
Avira	TR/AD.GenSteal.apvsd
MAX	malware (ai score=81)
Gridinsoft	Trojan.Win32.AgentTesla.bot
Microsoft	Trojan:MSIL/AgentTesla.ASFC!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Gen:Variant.MSILHeracles.115356
Varist	W32/MSIL_Troj.CXI.gen!Eldorado
AhnLab-V3	Trojan/Win.PWSX-gen.C5527502
ALYac	Gen:Variant.MSILHeracles.115356
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CJN23
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:3FgKUjSvqPRZVjjrXF+bAg)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ZXP!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.d0803a
DeepInstinct	MALICIOUS

snow.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All