Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 25, 2023, 5:53 p.m.	Nov. 25, 2023, 6 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6866f4e7450d085b19ad1aa9adaca819`
SHA256	`93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e`
CRC32	`0E90C60E`
ssdeep	`24576:NQIsq2Q2GOAO4fCCy7gtsICmEly/nDBRyqni3xbU4eWxDJ3YsXv6+tH9ZPz1:NQIsq2Q2GOAO4fCZ7YsL8/KqihAsxDJX`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Jqjfw.exe "C:\Users\test22\AppData\Local\Temp\Jqjfw.exe"
1460
- Jqjfw.exe C:\Users\test22\AppData\Local\Temp\Jqjfw.exe
  2068
  - Utsysc.exe "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe"
    2232
    - Utsysc.exe C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe
      2308
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F
        2388
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
brodoyouevenlift.co.za
yeahweliftbro.cz

IP Address	Status	Action
164.124.101.2	Active	Moloch
65.108.99.238	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 25, 2023, 5:53 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 25, 2023, 5:53 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:53 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:53 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:53 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 25, 2023, 5:53 p.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00901968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00901968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x009019a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00901ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00901ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00901c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00693808 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 25, 2023, 5:53 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 108 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 25, 2023, 5:53 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe	1	1	0
ShellExecuteExW Nov. 25, 2023, 5:53 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F filepath: SCHTASKS	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 25, 2023, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 25, 2023, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (34 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	Network_SMTP_dotNet
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	Network_SMTP_dotNet
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe
cmdline	"C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F

Communicates with host for which no DNS query was performed (1 event)

host

65.108.99.238

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 2068 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0	0
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 2308 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: 0 H`°}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0046b000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: 0 H`°}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0046b000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x0000025c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000258	1	1	0
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2308 process_handle: 0x0000025c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 called NtSetContextThread to modify thread in remote process 2068
Process injection	Process 2232 called NtSetContextThread to modify thread in remote process 2308
NtSetContextThread Nov. 25, 2023, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4330649 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 2068	1	0	0
NtSetContextThread Nov. 25, 2023, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4330649 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2308	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 2068
Process injection	Process 2232 resumed a thread in remote process 2308
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2068	1	0	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2308	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

65.108.99.238:80

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1460	1	0
CreateProcessInternalW Nov. 25, 2023, 5:53 p.m.	thread_identifier: 2072 thread_handle: 0x00000254 process_identifier: 2068 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Jqjfw.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 2068 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00401000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00454000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00466000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: 0 H`°}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0046b000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x0046c000 process_identifier: 2068 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2068 process_handle: 0x00000258	1	1
NtSetContextThread Nov. 25, 2023, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4330649 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 2068	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Nov. 25, 2023, 5:53 p.m.	thread_identifier: 2236 thread_handle: 0x00000328 process_identifier: 2232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000330	1	1
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW Nov. 25, 2023, 5:53 p.m.	thread_identifier: 2312 thread_handle: 0x00000258 process_identifier: 2308 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory Nov. 25, 2023, 5:53 p.m.	process_identifier: 2308 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL£_eà,¸@@@ìK´°àÀ(O Õ8\|ÖØÕ@@.text , `.rdata~@0@@.dataôF`4N@À.rsrcà°@@.reloc(OÀP@B base_address: 0x00400000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00401000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00454000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x00466000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: 0 H`°}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0046b000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: base_address: 0x0046c000 process_identifier: 2308 process_handle: 0x0000025c	1	1
WriteProcessMemory Nov. 25, 2023, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2308 process_handle: 0x0000025c	1	1
NtSetContextThread Nov. 25, 2023, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4330649 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2308	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2308	1	0
NtResumeThread Nov. 25, 2023, 5:53 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2308	1	0
CreateProcessInternalW Nov. 25, 2023, 5:53 p.m.	thread_identifier: 2392 thread_handle: 0x00000264 process_identifier: 2388 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Blocker.V!c
MicroWorld-eScan	Trojan.GenericKD.70558579
FireEye	Trojan.GenericKD.70558579
Skyhigh	BehavesLike.Win32.Generic.th
Malwarebytes	Trojan.Crypt.MSIL.Generic
K7GW	Trojan ( 005ae5da1 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AKFS
APEX	Malicious
Kaspersky	HEUR:Trojan-Ransom.Win32.Blocker.pef
BitDefender	Trojan.GenericKD.70558579
Avast	Win32:BotX-gen [Trj]
Tencent	Win32.Trojan-Ransom.Blocker.Dkjl
Emsisoft	Trojan.GenericKD.70558579 (B)
F-Secure	Trojan.TR/Blocker.mysgx
DrWeb	Trojan.Packed2.45944
TrendMicro	Trojan.Win32.AMADEY.YXDKYZ
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
MAX	malware (ai score=89)
Webroot	W32.Blocker
Google	Detected
Avira	TR/Blocker.mysgx
Varist	W32/ABRisk.BMUI-6250
Antiy-AVL	Trojan[Ransom]/Win32.Blocker
Kingsoft	Win32.Trojan-Ransom.Blocker.pef
Microsoft	Trojan:Win32/ScarletFlash.A
Gridinsoft	Malware.Win32.Blocker.cc
Arcabit	Trojan.Generic.D434A373
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Blocker.pef
GData	Win32.Trojan.Agent.CQGMZ3
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.AntiAnalysis.C5551254
McAfee	Artemis!6866F4E7450D
Cylance	unsafe
Panda	Trj/RansomGen.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDKYZ
Rising	Ransom.Blocker!8.12A (CLOUD)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.BBC!tr
AVG	Win32:BotX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Jqjfw.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All