Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:53 p.m.

Size	1.6MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`d0b882c07526d97ef91eccf153e31a4b`
SHA256	`99792e2eda5c50df332f2ba9bde7dbe158398acd913c16f980ff54bfda274f36`
CRC32	`5E2A9A1B`
ssdeep	`24576:LlmVGLBPhxC3jlp8gxakx09mTPPX58SuB1IyJdJe+32B0v:L0+BDuH8aHi9sfCSuBuq`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

MedicinesViews.exe "C:\Users\test22\AppData\Local\Temp\MedicinesViews.exe"
2548
- cmd.exe cmd /k cmd < Cumshot & exit
  2684
  - cmd.exe cmd
    2744
    - tasklist.exe tasklist
      2788
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2824
    - tasklist.exe tasklist
      2936
    - findstr.exe findstr /I "wrsa.exe"
      2972
    - cmd.exe cmd /c mkdir 29577
      3044
    - cmd.exe cmd /c copy /b Hole + Mechanics + Fever + Queens + Period + Sussex 29577\Represent.pif
      604
    - cmd.exe cmd /c copy /b Via + Petroleum + Spider 29577\k
      2088
    - Represent.pif 29577\Represent.pif 29577\k
      2100
    - PING.EXE ping -n 5 localhost
      2220

Name	Response	Post-Analysis Lookup
UKnDvWMKHLvcOHop.UKnDvWMKHLvcOHop
JDyyDoFHAd.JDyyDoFHAd

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.92.252.85	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49177 91.92.252.85:6800	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99
TLS 1.2 192.168.56.101:49178 91.92.252.85:6800	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99
TLS 1.2 192.168.56.101:49179 91.92.252.85:6800	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	C=XX, ST=N/A, L=N/A, O=Self-signed certificate, CN=91.92.251.242: Self-signed certificate	e5:ee:c1:0d:b5:e8:fa:9a:f0:b5:9d:1a:93:c7:d0:24:b6:28:4d:99

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0

Command line console output was observed (50 out of 385 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Set xEOziYVBZDGziClXFJelRyBpHxoPFIDvzXXsJn=a console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: kDjmCCjwzsNxYXFg=EMNPuWsZlql console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'kDjmCCjwzsNxYXFg' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: TgiGMYhTwHtoicgUpbcsJg=LdAyHUAaBev console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'TgiGMYhTwHtoicgUpbcsJg' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: rGNjYsxqXHFIKIvQMES=EpcdkSGYBgCyKWlgckvqggitKScY console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'rGNjYsxqXHFIKIvQMES' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: KFXpAVTkvquKcmJtmXO=oxBiSHdesFzbIARIFWl console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'KFXpAVTkvquKcmJtmXO' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: srYldfSOnZ=VHBfftPsSERTRG console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'srYldfSOnZ' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Set eUHqnCMNutvdRCPBEsznQulBEQEavApiDHhXibAIoTc=q console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: NXPeejCboTVJycIYxsFVgNlgRxu=KdWLZIRSPfzhGKcOshweSKOCPf console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'NXPeejCboTVJycIYxsFVgNlgRxu' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: ZNAkIuMMSWpJbEPotXagE=cWDztYqCzWKtRtftK console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'ZNAkIuMMSWpJbEPotXagE' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: UXCRoDEneCJE=wZHaDHfeOMdDhZzMLT console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'UXCRoDEneCJE' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: hkzHPEOZOF=bSPmJtpMLvcyukjgUElLsJJskHaR console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'hkzHPEOZOF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: OHAvSgbNOdfCZiDRujcDdUcET=OpnheLaYXOUIgXOAugVos console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'OHAvSgbNOdfCZiDRujcDdUcET' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: ymyxWhbUjWChmgfAgDlq=OXbYnPPNiIKjj console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'ymyxWhbUjWChmgfAgDlq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Set YiHOtBrCYyqbAlFZaYsadCIcnnHuyhS=i console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: pszGOumujYaYwfE=ifMVTNvmjdFTW console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'pszGOumujYaYwfE' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: KhZpdTjzDRSktDdbbp=YYXyyzvUUxn console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'KhZpdTjzDRSktDdbbp' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\11590> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: FpPhtYRYLVOMUrHJSoOT=QYnMoTPUYaYydjegfk console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'FpPhtYRYLVOMUrHJSoOT' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 397312 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04141000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04146000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04147000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4132864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065af000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\MedicinesViews.exe
file	C:\Users\test22\AppData\Local\Temp\11590\Hole
file	C:\Users\test22\AppData\Local\Temp\11590\29577\Represent.pif

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: conhost.exe process_identifier: 2720	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: cmd.exe process_identifier: 2744	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: WmiPrvSE.exe process_identifier: 2896	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: Represent.pif process_identifier: 2100	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: inject-x86.exe process_identifier: 148	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (3 events)

process	medicinesviews.exe
process	cmd.exe
process	represent.pif

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000000 process_identifier: 2548 process_handle: 0x00000138		0	0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000000 process_identifier: 2548 process_handle: 0x00000138	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c mkdir 29577
cmdline	ping -n 5 localhost

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fcf3a403bef45071fb6b9d3c4eea8f85fc39b45a

Communicates with host for which no DNS query was performed (1 event)

host

91.92.252.85

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2744 resumed a thread in remote process 2100
NtResumeThread Dec. 11, 2023, 7:16 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2100	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
MicroWorld-eScan	Trojan.GenericKD.70716860
FireEye	Trojan.GenericKD.70716860
ALYac	Trojan.GenericKD.70716860
Malwarebytes	Trojan.MalPack
VIPRE	Trojan.GenericKD.70716860
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDropper:Win32/Generic.04938747
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDropper.Delf.ACK
APEX	Malicious
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
BitDefender	Trojan.GenericKD.70716860
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11b9b42a
Emsisoft	Trojan.GenericKD.70716860 (B)
F-Secure	Trojan.TR/Drop.Agent.nfmuh
DrWeb	Trojan.Siggen22.29177
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXDLIZ
Sophos	Mal/Generic-S
MAX	malware (ai score=89)
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Drop.Agent.nfmuh
Antiy-AVL	Trojan/Win32.Sabsik
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
Gridinsoft	Trojan.Win32.Wacapew.sa
Xcitium	Malware@#1tmve2tbz67ir
Arcabit	Trojan.Generic.D4370DBC
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	Trojan.GenericKD.70716860
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C5560675
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.RHADAMANTHYS.YXDLIZ
Rising	Backdoor.Agent!8.C5D (TFE:4:lSgtrGCtvkE)
Ikarus	Trojan-Dropper.Win32.Delf
MaxSecure	Trojan.Malware.9530778.susgen
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

MedicinesViews.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All