Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 24, 2023, 7:41 a.m.	Oct. 24, 2023, 7:50 a.m.

Size	1.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`f281b31a99932f0d6c1fa3dd0649a36a`
SHA256	`29d9f955b553825fb23351f9daa7d4d0647153073e0d1465f24e674d6378ba06`
CRC32	`273D47D0`
ssdeep	`24576:t2dY5PVbHkHp3o6IoiEb7orLa9aCAQgaHEddMVmzut7BTF77l//ugU:dPVIo6iE/8LaoCAQgaHUMVmzutdRHNW`
PDB Path	F:\sDll_launch\x64\Release\sDll_launch.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) Antivirus - Contains references to security software Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

angi.exe "C:\Users\test22\AppData\Local\Temp\angi.exe"
1268
- rundll32.exe C:\Windows\system32\rundll32.exe acbffdecbe.sys,#1
  2116
  - rundll32.exe C:\Windows\system32\rundll32.exe acbffdecbe.sys,#1
    2160

Name	Response	Post-Analysis Lookup
bluesaks.fun	A 104.21.34.166 A 172.67.163.21	104.21.34.166

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.163.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 172.67.163.21:80	2048093	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 172.67.163.21:80	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 24, 2023, 7:43 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 24, 2023, 7:41 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

F:\sDll_launch\x64\Release\sDll_launch.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 24, 2023, 7:43 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	text
section	data

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://bluesaks.fun/api

Performs some HTTP requests (1 event)

request

POST http://bluesaks.fun/api

Sends data using the HTTP POST Method (1 event)

request

POST http://bluesaks.fun/api

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7440b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74380000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:41 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2023, 7:43 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 76 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\acbffdecbe.sys

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32FirstW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: [System Process] process_identifier: 0	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: System process_identifier: 4	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: smss.exe process_identifier: 232	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: services.exe process_identifier: 436	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: lsm.exe process_identifier: 460	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: pw.exe process_identifier: 1940	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: taskhost.exe process_identifier: 1680	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: SearchProtocolHost.exe process_identifier: 1664	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: SearchFilterHost.exe process_identifier: 1616	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: rundll32.exe process_identifier: 2116	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: rundll32.exe process_identifier: 2160	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 2380	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: mscorsvw.exe process_identifier: 2408	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: mscorsvw.exe process_identifier: 2456	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: sppsvc.exe process_identifier: 2508	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: cmd.exe process_identifier: 2884	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: conhost.exe process_identifier: 2892	1	1
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00144800', u'virtual_address': u'0x00001000', u'entropy': 7.3106874756121485, u'name': u'.text', u'virtual_size': u'0x00144770'}

entropy

7.31068747561

description

A section with a high entropy has been found

entropy

0.944343397599

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (32 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: sppsvc.exe process_identifier: 2508		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x00000304 process_name: sppsvc.exe process_identifier: 2508		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: sppsvc.exe process_identifier: 2508		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x00000304 process_name: sppsvc.exe process_identifier: 2508		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x0000032c process_name: sppsvc.exe process_identifier: 2508		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003a8 process_name: pw.exe process_identifier: 2916		0	0
Process32NextW Oct. 24, 2023, 7:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2916		0	0

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\wallets
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Injuke.16!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Trojan.GenericKD.69959381
Skyhigh	BehavesLike.Win64.Generic.tc
ALYac	Trojan.GenericKD.69959381
Cybereason	malicious.26f84d
Arcabit	Trojan.Generic.D42B7ED5
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Generik.EOSWKLX
Kaspersky	Trojan.Win32.Injuke.iqoo
BitDefender	Trojan.GenericKD.69959381
Avast	Win64:DropperX-gen [Drp]
Tencent	Win32.Trojan.Injuke.Ltgl
Emsisoft	Trojan.GenericKD.69959381 (B)
VIPRE	Trojan.GenericKD.69959381
TrendMicro	TrojanSpy.Win64.LUMMASTEALER.YXDJVZ
FireEye	Trojan.GenericKD.69959381
Sophos	Mal/Generic-S
Webroot	W32.Trojan.GenKD
Google	Detected
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Script.Phonzy
Gridinsoft	Trojan.Win64.Generic.ca
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan.Win32.Injuke.iqoo
GData	Trojan.GenericKD.69959381
Varist	W64/ABRisk.DYXR-4879
McAfee	Artemis!F281B31A9993
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win64.LUMMASTEALER.YXDJVZ
Rising	Trojan.Undefined!8.1327C (CLOUD)
Ikarus	Trojan.SuspectCRC
Fortinet	PossibleThreat.MU
AVG	Win64:DropperX-gen [Drp]
DeepInstinct	MALICIOUS

angi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All