Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 26, 2023, 1:31 p.m.	Nov. 26, 2023, 1:35 p.m.

Size	601.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e59325a169b1a80fd0525ea86e130ff8`
SHA256	`ece7b97dcb7fcba52f0b348578e52178bbb7bcc22540ed9123997b90c14323e8`
CRC32	`F5F04384`
ssdeep	`12288:fy8oXi8ViC92Z8y/2mpBT32oQMwUaQs5+A6JYJL:fFUzN82mpJ2zMwUaQkoJcL`
PDB Path	OXG.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

asusns.exe "C:\Users\test22\AppData\Local\Temp\asusns.exe"
184
- asusns.exe "C:\Users\test22\AppData\Local\Temp\asusns.exe"
  2424
where.exe "C:\Windows\SysWOW64\where.exe"
2572
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2752

Name	Response	Post-Analysis Lookup
www.talknconvert.com	A 34.120.137.41 CNAME connect.hostinger.com	34.120.137.41
www.ofupakoshi.com	A 118.27.125.154	118.27.125.154
www.54c7pv.top	A 154.91.180.241	154.91.180.241
www.zz23xw.top	A 198.44.187.121	198.44.187.121
www.speedbikesglobal.com	A 207.244.126.150 CNAME speedbikesglobal.com	207.244.126.150
www.oneillspubs.com	A 199.59.243.225	199.59.243.225
www.velvet-key-properties.top	A 162.0.222.119	162.0.222.119
www.wearehydrant.com	A 216.40.34.41	216.40.34.41
www.ezus.life	A 34.96.147.60	34.96.147.60
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
118.27.125.154	Active	Moloch
154.91.180.241	Active	Moloch
162.0.222.119	Active	Moloch
164.124.101.2	Active	Moloch
198.44.187.121	Active	Moloch
199.59.243.225	Active	Moloch
207.244.126.150	Active	Moloch
216.40.34.41	Active	Moloch
34.120.137.41	Active	Moloch
34.96.147.60	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 198.44.187.121:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 162.0.222.119:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 118.27.125.154:80	2221033	SURICATA HTTP Request abnormal Content-Encoding header	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 34.96.147.60:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 34.96.147.60:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 26, 2023, 1:31 p.m.			0	0
IsDebuggerPresent Nov. 26, 2023, 1:31 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

OXG.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 26, 2023, 1:31 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	www.zz23xw.top	description	Generic top level domain TLD
domain	www.54c7pv.top	description	Generic top level domain TLD
domain	www.velvet-key-properties.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:31 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 2424 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 2572 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\asusns.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\asusns.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00094a00', u'virtual_address': u'0x00002000', u'entropy': 7.982606910306944, u'name': u'.text', u'virtual_size': u'0x0009485c'}

entropy

7.98260691031

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001600', u'virtual_address': u'0x00098000', u'entropy': 7.154756110200101, u'name': u'.rsrc', u'virtual_size': u'0x000015c8'}

entropy

7.1547561102

description

A section with a high entropy has been found

entropy

0.999167360533

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 2424 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\asusns.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELÖ~VàÀÐ@Ð@.textD¾À ` base_address: 0x00400000 process_identifier: 2424 process_handle: 0x000002b8	1	1	0
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2424 process_handle: 0x000002b8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELÖ~VàÀÐ@Ð@.textD¾À ` base_address: 0x00400000 process_identifier: 2424 process_handle: 0x000002b8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 184 called NtSetContextThread to modify thread in remote process 2424
NtSetContextThread Nov. 26, 2023, 1:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199568 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2424	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 184 resumed a thread in remote process 2424
NtResumeThread Nov. 26, 2023, 1:32 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2424	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 26, 2023, 1:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 184	1	0
NtResumeThread Nov. 26, 2023, 1:31 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 184	1	0
NtResumeThread Nov. 26, 2023, 1:31 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 184	1	0
NtResumeThread Nov. 26, 2023, 1:32 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 184	1	0
CreateProcessInternalW Nov. 26, 2023, 1:32 p.m.	thread_identifier: 2428 thread_handle: 0x000002b4 process_identifier: 2424 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\asusns.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\asusns.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread Nov. 26, 2023, 1:32 p.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory Nov. 26, 2023, 1:32 p.m.	process_identifier: 2424 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELÖ~VàÀÐ@Ð@.textD¾À ` base_address: 0x00400000 process_identifier: 2424 process_handle: 0x000002b8	1	1
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: base_address: 0x00401000 process_identifier: 2424 process_handle: 0x000002b8	1	1
WriteProcessMemory Nov. 26, 2023, 1:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2424 process_handle: 0x000002b8	1	1
NtSetContextThread Nov. 26, 2023, 1:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199568 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2424	1	0
NtResumeThread Nov. 26, 2023, 1:32 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2424	1	0
NtResumeThread Nov. 26, 2023, 1:32 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2572	1	0
CreateProcessInternalW Nov. 26, 2023, 1:32 p.m.	thread_identifier: 2756 thread_handle: 0x00000314 process_identifier: 2752 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: filepath_r: C:\Program Files\Mozilla Firefox\Firefox.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000324	1	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Agensla.i!c
MicroWorld-eScan	Trojan.GenericKD.70520003
FireEye	Trojan.GenericKD.70520003
ALYac	Trojan.GenericKD.70520003
Malwarebytes	Trojan.MalPack.PNG.Generic
VIPRE	Trojan.GenericKD.70520003
Sangfor	Infostealer.Msil.AgentTesla.Vzoj
K7AntiVirus	Trojan ( 005ae4eb1 )
Alibaba	TrojanPSW:MSIL/Agensla.38919fe5
K7GW	Trojan ( 005ae4eb1 )
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn33
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AKFG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.70520003
Tencent	Malware.Win32.Gencirc.13f7bc20
Sophos	Troj/Krypt-ABH
F-Secure	Trojan.TR/AD.Swotter.osihm
DrWeb	Trojan.Inject4.59820
Emsisoft	Trojan.GenericKD.70520003 (B)
SentinelOne	Static AI - Malicious PE
Varist	W32/MSIL_Kryptik.KEF.gen!Eldorado
Avira	TR/AD.Swotter.osihm
MAX	malware (ai score=82)
Kingsoft	MSIL.Trojan-PSW.Agensla.gen
Gridinsoft	Trojan.Win32.Kryptik.sa
Arcabit	Trojan.Generic.D4340CC3
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Win32.Trojan.Agent.8YIDO5
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5547600
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R06CH0DKM23
Rising	Malware.Obfus/MSIL@AI.82 (RDM.MSIL2:Wu/aPPNnipDfTU3Tp0DLbw)
Ikarus	Trojan.MSIL.Inject
Fortinet	MSIL/GenKryptik.GJKZ!tr
BitDefenderTheta	Gen:NN.ZemsilF.36792.Lm0@a8EbNco
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

asusns.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All