Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 19, 2024, 1:04 p.m.	April 19, 2024, 1:11 p.m.

Size	742.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`269a3d770289d6442ad0b01e03276a10`
SHA256	`1b0a15ce9c6a24c1d420956e45110f25170fd2bb8c2fe1269f36aa43c40b59aa`
CRC32	`6FDCAB55`
ssdeep	`12288:K4AzttgbhCMCtTSb1uuH8fu2l6heoBPQED6lsKnsXLW:K7jgbhjCxShjHqLl6ZPmsKsXS`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

js.exe "C:\Users\test22\AppData\Local\Temp\js.exe"
776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
192.227.146.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 192.227.146.252:8000	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode
TCP 192.168.56.103:49162 -> 192.227.146.252:2025	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.103:49162 -> 192.227.146.252:2025	2018752	ET HUNTING Generic .bin download from Dotted Quad	Potentially Bad Traffic
TCP 192.227.146.252:2025 -> 192.168.56.103:49162	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 192.227.146.252:2025	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.103:49162 -> 192.227.146.252:2025	2018752	ET HUNTING Generic .bin download from Dotted Quad	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 192.227.146.252:2025	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.103:49169 -> 192.227.146.252:2025	2018752	ET HUNTING Generic .bin download from Dotted Quad	Potentially Bad Traffic
TCP 192.227.146.252:2025 -> 192.168.56.103:49169	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 192.227.146.252:2025	2016879	ET POLICY Unsupported/Fake Windows NT Version 5.0	Potential Corporate Privacy Violation
TCP 192.168.56.103:49169 -> 192.227.146.252:2025	2018752	ET HUNTING Generic .bin download from Dotted Quad	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 192.227.146.252:8000	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 19, 2024, 1:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 19, 2024, 1:04 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 19, 2024, 1:04 p.m.	process_identifier: 776 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:04 p.m.	process_identifier: 776 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:04 p.m.	process_identifier: 776 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:04 p.m.	process_identifier: 776 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

js.exe tried to sleep 456 seconds, actually delayed analysis time by 456 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 19, 2024, 1:04 p.m.	total_number_of_free_bytes: 9935982592 free_bytes_available: 9935982592 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c4d10

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c4d10

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c4d10

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c5200

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c5200

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c5200

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c5200

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c6908

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3bb4

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3bb4

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d4dfc

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5844

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5890

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5890

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5890

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5940

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5940

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d5940

size

0x00000014

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\js.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\2572\....\2573

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32FirstW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: System process_identifier: 4	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: smss.exe process_identifier: 232	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: services.exe process_identifier: 436	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 288	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: taskhost.exe process_identifier: 772	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: cmd.exe process_identifier: 1932	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: SearchProtocolHost.exe process_identifier: 1460	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: conhost.exe process_identifier: 632	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: SearchFilterHost.exe process_identifier: 1516	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: js.exe process_identifier: 776	1	1
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 19, 2024, 1:05 p.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Moves the original executable to a new location (2 events)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW April 19, 2024, 1:05 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\2572\....\\2573 flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\js.exe newfilepath: C:\Users\test22\AppData\Local\Temp\2572\....\2573 oldfilepath: C:\Users\test22\AppData\Local\Temp\js.exe	1	1	0
MoveFileWithProgressW April 19, 2024, 1:05 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\2572\....\\2573 flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\js.exe newfilepath: C:\Users\test22\AppData\Local\Temp\2572\....\2573 oldfilepath: C:\Users\test22\AppData\Local\Temp\js.exe	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (36 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0
Process32NextW April 19, 2024, 1:04 p.m.	snapshot_handle: 0x00000488 process_name: pw.exe process_identifier: 1508		0	0

Communicates with host for which no DNS query was performed (1 event)

host

192.227.146.252

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW April 19, 2024, 1:04 p.m.	thread_identifier: 0 callback_function: 0x73fdc951 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x73fd0000	1	197077	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Generic.2919
Skyhigh	GenericRXEP-PU!269A3D770289
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
BitDefender	Trojan.Generic.35720394
K7GW	Trojan ( 005246d51 )
K7AntiVirus	Trojan ( 005246d51 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
McAfee	GenericRXEP-PU!269A3D770289
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.Xkcp.gen
MicroWorld-eScan	Trojan.Generic.35720394
Emsisoft	Trojan.Generic.35720394 (B)
DrWeb	Trojan.DownLoader46.58692
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.269a3d770289d644
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32
Webroot	W32.Malware.Gen
Google	Detected
MAX	malware (ai score=86)
Antiy-AVL	RiskWare/Win32.FlyStudio.a
Kingsoft	Win32.Hack.Xkcp.gen
Gridinsoft	Trojan.Win32.Packed.sa
Xcitium	Worm.Win32.Dropper.RA@1qraug
Microsoft	Trojan:Win32/Emotet!ml
ZoneAlarm	HEUR:Backdoor.Win32.Xkcp.gen
GData	Win32.Application.PSE.10ODIJ9
Varist	W32/Trojan.ISO.gen!Eldorado
AhnLab-V3	Malware/Win.Generic.C5168325
BitDefenderTheta	Gen:NN.ZexaF.36802.Uq2@aynP2Llb
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H06DI24
Yandex	Trojan.GenAsa!kHMPwob5fm4
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	Riskware/FlyApplication
AVG	Win32:Evo-gen [Trj]
alibabacloud	Backdoor:Win/Xkcp.gyf

js.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All