Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2024, 8:04 p.m.	May 18, 2024, 8:08 p.m.

Size	104.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9a24a00438a4d06d64fe4820061a1b45`
SHA256	`66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54`
CRC32	`DEF2C408`
ssdeep	`1536:KlULHCIFmav82fkJMTZ0imzS6ussgExLXCxnbKG:wUDeO9TZH6SngYsbKG`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

tdrpload.exe "C:\Users\test22\AppData\Local\Temp\tdrpload.exe"
2564
- sysblardsv.exe C:\Windows\sysblardsv.exe
  2620
  - 3359033542.exe C:\Users\test22\AppData\Local\Temp\3359033542.exe
    2788
    - syslmgrsvc.exe C:\Windows\syslmgrsvc.exe
      2860
      - 1406718315.exe C:\Users\test22\AppData\Local\Temp\1406718315.exe
        812
      - 2659714173.exe C:\Users\test22\AppData\Local\Temp\2659714173.exe
        2472
      - 34948448.exe C:\Users\test22\AppData\Local\Temp\34948448.exe
        1536
      - 293032010.exe C:\Users\test22\AppData\Local\Temp\293032010.exe
        2944
      - 1420928288.exe C:\Users\test22\AppData\Local\Temp\1420928288.exe
        1656
      - 1561421694.exe C:\Users\test22\AppData\Local\Temp\1561421694.exe
        2376
  - 1887329501.exe C:\Users\test22\AppData\Local\Temp\1887329501.exe
    2952
    - winqlsdrvcs.exe C:\Windows\winqlsdrvcs.exe
      3020
      - 1529115571.exe C:\Users\test22\AppData\Local\Temp\1529115571.exe
        2208
      - 2744511748.exe C:\Users\test22\AppData\Local\Temp\2744511748.exe
        884
      - 2332935052.exe C:\Users\test22\AppData\Local\Temp\2332935052.exe
        1332
  - 2308024082.exe C:\Users\test22\AppData\Local\Temp\2308024082.exe
    2100
    - Windows Security Upgrade Service.exe "C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe"
      2284
    - Windows Security Upgrade Service.exe "C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe"
      2856
    - Windows Security Upgrade Service.exe "C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe"
      936
  - 1896517387.exe C:\Users\test22\AppData\Local\Temp\1896517387.exe
    2556
    - 1987512602.exe C:\Users\test22\AppData\Local\Temp\1987512602.exe
      2056
  - 2298410743.exe C:\Users\test22\AppData\Local\Temp\2298410743.exe
    2816
  - 160254306.exe C:\Users\test22\AppData\Local\Temp\160254306.exe
    3052

Name	Response	Post-Analysis Lookup
twizt.net	A 185.215.113.66	185.215.113.66
www.update.microsoft.com	A 20.72.235.82 CNAME redir.update.msft.com.trafficmanager.net	20.109.209.108

IP Address	Status	Action
103.4.92.235	Active	Moloch
105.111.97.94	Active	Moloch
134.35.181.192	Active	Moloch
151.233.182.35	Active	Moloch
151.247.86.184	Active	Moloch
164.124.101.2	Active	Moloch
175.107.56.212	Active	Moloch
178.130.73.157	Active	Moloch
185.203.237.213	Active	Moloch
185.215.113.66	Active	Moloch
188.208.58.14	Active	Moloch
188.209.24.211	Active	Moloch
188.215.185.154	Active	Moloch
189.222.32.81	Active	Moloch
2.180.32.222	Active	Moloch
2.182.101.42	Active	Moloch
2.183.172.29	Active	Moloch
2.185.241.24	Active	Moloch
20.72.235.82	Active	Moloch
213.230.90.13	Active	Moloch
213.230.99.184	Active	Moloch
216.107.138.162	Active	Moloch
45.150.25.234	Active	Moloch
45.244.97.228	Active	Moloch
46.167.138.154	Active	Moloch
5.190.247.209	Active	Moloch
5.232.129.90	Active	Moloch
5.42.96.117	Active	Moloch
77.221.27.6	Active	Moloch
78.137.80.115	Active	Moloch
78.39.232.233	Active	Moloch
82.194.13.101	Active	Moloch
82.194.13.95	Active	Moloch
89.165.5.25	Active	Moloch
89.236.205.171	Active	Moloch
89.236.208.174	Active	Moloch
89.236.219.80	Active	Moloch
89.38.90.198	Active	Moloch
91.202.233.141	Active	Moloch
93.118.99.152	Active	Moloch
95.59.4.234	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.66:80 -> 192.168.56.101:49172	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49179 -> 185.215.113.66:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2014819	ET INFO Packed Executable Download	Misc activity
UDP 192.168.56.101:59004 -> 151.247.86.184:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 192.168.56.101:49188 -> 185.215.113.66:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.66:80 -> 192.168.56.101:49188	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:59004 -> 2.182.101.42:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 105.111.97.94:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 5.42.96.117:80 -> 192.168.56.101:49208	2400000	ET DROP Spamhaus DROP Listed Traffic Inbound group 1	Misc Attack
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.66:80 -> 192.168.56.101:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:59004 -> 93.118.99.152:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 5.232.129.90:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 89.165.5.25:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 77.221.27.6:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 213.230.90.13:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 91.202.233.141:80 -> 192.168.56.101:49228	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
UDP 192.168.56.101:59004 -> 188.215.185.154:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 5.190.247.209:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:59004 -> 103.4.92.235:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 46.167.138.154:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
UDP 192.168.56.101:54150 -> 134.35.181.192:40500	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.66:5151	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49220 -> 185.215.113.66:5151	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2024, 8:04 p.m.			0	0
IsDebuggerPresent May 18, 2024, 8:04 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/1
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/2
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/3
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/_1
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/4
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/newpinf.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/_2
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/nxmr.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/5
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/_3
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.66/6

Performs some HTTP requests (12 events)

request	GET http://185.215.113.66/1
request	GET http://185.215.113.66/2
request	GET http://185.215.113.66/3
request	GET http://185.215.113.66/_1
request	GET http://185.215.113.66/4
request	GET http://185.215.113.66/newpinf.exe
request	GET http://185.215.113.66/_2
request	GET http://185.215.113.66/nxmr.exe
request	GET http://185.215.113.66/5
request	GET http://185.215.113.66/_3
request	GET http://twizt.net/ALLSTATA
request	GET http://185.215.113.66/6

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (31 events)

ip	185.215.113.66
ip	100.66.225.150
ip	103.4.92.235
ip	105.111.97.94
ip	134.35.181.192
ip	151.233.182.35
ip	151.247.86.184
ip	175.107.56.212
ip	185.203.237.213
ip	188.208.58.14
ip	188.209.24.211
ip	188.215.185.154
ip	189.222.32.81
ip	2.180.32.222
ip	2.182.101.42
ip	2.183.172.29
ip	2.185.241.24
ip	213.230.90.13
ip	213.230.99.184
ip	216.107.138.162
ip	46.167.138.154
ip	5.190.247.209
ip	5.232.129.90
ip	77.221.27.6
ip	78.137.80.115
ip	82.194.13.101
ip	89.165.5.25
ip	89.236.205.171
ip	89.236.208.174
ip	89.236.219.80
ip	93.118.99.152

A process attempted to delay the analysis task. (2 events)

description	syslmgrsvc.exe tried to sleep 209 seconds, actually delayed analysis time by 209 seconds
description	sysblardsv.exe tried to sleep 223 seconds, actually delayed analysis time by 223 seconds

Creates executable files on the filesystem (17 events)

file	C:\Users\test22\AppData\Local\Temp\1987512602.exe
file	C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe
file	C:\Users\test22\AppData\Local\Temp\1561421694.exe
file	C:\Users\test22\AppData\Local\Temp\2298410743.exe
file	C:\Users\test22\AppData\Local\Temp\2659714173.exe
file	C:\Users\test22\AppData\Local\Temp\293032010.exe
file	C:\Users\test22\AppData\Local\Temp\2332935052.exe
file	C:\Users\test22\AppData\Local\Temp\2308024082.exe
file	C:\Users\test22\AppData\Local\Temp\2744511748.exe
file	C:\Users\test22\AppData\Local\Temp\1887329501.exe
file	C:\Users\test22\AppData\Local\Temp\160254306.exe
file	C:\Users\test22\AppData\Local\Temp\1529115571.exe
file	C:\Users\test22\AppData\Local\Temp\3359033542.exe
file	C:\Users\test22\AppData\Local\Temp\1406718315.exe
file	C:\Users\test22\AppData\Local\Temp\34948448.exe
file	C:\Users\test22\AppData\Local\Temp\1420928288.exe
file	C:\Users\test22\AppData\Local\Temp\1896517387.exe

Creates hidden or system file (10 events)

Time & API	Arguments	Status
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003a0 filepath: C:\Users\test22\tbtnds.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\tbtnds.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:05 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000002f4 filepath: C:\Users\test22\tbtnds.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\tbtnds.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:05 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000360 filepath: C:\Users\test22\tbtnds.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\tbtnds.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:06 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000002dc filepath: C:\Users\test22\tbtnds.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\tbtnds.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\AppData\Roaming\windrx.txt desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\windrx.txt create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\AppData\Roaming\pluoopl.txt desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\pluoopl.txt create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000009c filepath: C:\Users\test22\ssss3444443.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\ssss3444443.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\48589392.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\48589392.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:04 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000009c filepath: C:\Users\test22\78876rtb.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\78876rtb.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile May 18, 2024, 8:05 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000006c filepath: C:\Users\test22\975666578.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\975666578.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\293032010.exe
file	C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe
file	C:\Users\test22\AppData\Local\Temp\2298410743.exe
file	C:\Users\test22\AppData\Local\Temp\1887329501.exe
file	C:\Users\test22\AppData\Local\Temp\1561421694.exe
file	C:\Users\test22\AppData\Local\Temp\2308024082.exe
file	C:\Users\test22\AppData\Local\Temp\1529115571.exe
file	C:\Users\test22\AppData\Local\Temp\3359033542.exe

An executable file was downloaded by the processes 2308024082.exe, 1896517387.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 18, 2024, 8:04 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $¿\¥×û=Ëû=Ëû=ËòEXù=ËòE^ú=ËòEHî=ËÜû°ð=Ëû=Ê°=ËòEOþ=ËòEZú=ËRichû=ËPELQ$fà && request_handle: 0x00cc000c	1	1	0
InternetReadFile May 18, 2024, 8:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÑ=dð.&ÌV°@`WeW` request_handle: 0x00cc000c	1	1	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 2a9290e32d1582217eac32b977961ada243ada9a

Communicates with host for which no DNS query was performed (38 events)

host	103.4.92.235
host	105.111.97.94
host	134.35.181.192
host	151.233.182.35
host	151.247.86.184
host	175.107.56.212
host	178.130.73.157
host	185.203.237.213
host	188.208.58.14
host	188.209.24.211
host	188.215.185.154
host	189.222.32.81
host	2.180.32.222
host	2.182.101.42
host	2.183.172.29
host	2.185.241.24
host	213.230.90.13
host	213.230.99.184
host	216.107.138.162
host	45.150.25.234
host	45.244.97.228
host	46.167.138.154
host	5.190.247.209
host	5.232.129.90
host	5.42.96.117
host	77.221.27.6
host	78.137.80.115
host	78.39.232.233
host	82.194.13.101
host	82.194.13.95
host	89.165.5.25
host	89.236.205.171
host	89.236.208.174
host	89.236.219.80
host	89.38.90.198
host	91.202.233.141
host	93.118.99.152
host	95.59.4.234

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings	reg_value	C:\Windows\sysblardsv.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings	reg_value	C:\Windows\syslmgrsvc.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service	reg_value	C:\Windows\winqlsdrvcs.exe

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Network activity contains more than one unique useragent (3 events)

process	sysblardsv.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
process	winqlsdrvcs.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
process	2308024082.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Attempts to remove evidence of file being downloaded from the Internet (21 events)

file	C:\Users\test22\AppData\Local\Temp\tdrpload.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1887329501.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\34948448.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1561421694.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1420928288.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2659714173.exe:Zone.Identifier
file	C:\Windows\syslmgrsvc.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1406718315.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\293032010.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\Windows Security Upgrade Service.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2308024082.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1896517387.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2298410743.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\3359033542.exe:Zone.Identifier
file	C:\Windows\sysblardsv.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\160254306.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2332935052.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2744511748.exe:Zone.Identifier
file	C:\Windows\winqlsdrvcs.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1529115571.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\1987512602.exe:Zone.Identifier

Generates some ICMP traffic

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

Stops Windows services (2 events)

service	wuauserv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start)
service	BITS (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start)

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Phorpiex.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Agent
Skyhigh	BehavesLike.Win32.Dropper.ch
Cylance	unsafe
VIPRE	Gen:Heur.Mint.Zard.39
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 0055365e1 )
BitDefender	Trojan.GenericKD.72789329
K7GW	Trojan ( 0055365e1 )
Arcabit	Trojan.Generic.D456AD51
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.V
APEX	Malicious
McAfee	Artemis!9A24A00438A4
Avast	Win32:KadrBot [Trj]
Kaspersky	HEUR:Trojan.Win32.Agent.gen
Alibaba	Worm:Win32/Phorpiex.4aa10747
NANO-Antivirus	Trojan.Win32.Phorpiex.kmtras
MicroWorld-eScan	Trojan.GenericKD.72789329
Rising	Worm.Phorpiex!8.48D (TFE:3:2wXnuqqcioP)
Emsisoft	Trojan.GenericKD.72789329 (B)
F-Secure	Trojan.TR/AD.Hvnc.etkxs
DrWeb	Trojan.DownLoader46.2135
TrendMicro	TROJ_GEN.R06CC0DED24
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.9a24a00438a4d06d
Sophos	W32/Trizt-Gen
Ikarus	Worm.Win32.Phorpiex
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.Hvnc.etkxs
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Win32.Phorpiex
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/Tiny.EH!MTB
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Win32.Trojan.Phorpiex.D
Varist	W32/ABRisk.EAFK-5565
AhnLab-V3	Trojan/Win.Generic.C4630408
BitDefenderTheta	AI:Packer.3A89DF821E
DeepInstinct	MALICIOUS
VBA32	BScope.Worm.Propriex
Malwarebytes	Phorpiex.Trojan.Bot.DDS
Panda	Adware/SecurityProtection
TrendMicro-HouseCall	TROJ_GEN.R06CC0DED24
Tencent	Malware.Win32.Gencirc.140b91ee
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (39 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49231
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49230
dead_host	192.168.56.101:49242
dead_host	192.168.56.101:49243
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49237
dead_host	95.59.4.234:40500
dead_host	192.168.56.101:49223
dead_host	5.42.96.117:80
dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49234
dead_host	20.72.235.82:80
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49228
dead_host	192.168.56.101:49238
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49235
dead_host	178.130.73.157:40500
dead_host	82.194.13.95:40500
dead_host	45.244.97.228:40500
dead_host	192.168.56.101:49229
dead_host	91.202.233.141:80
dead_host	192.168.56.101:49239
dead_host	192.168.56.101:49240
dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49244
dead_host	192.168.56.101:49221
dead_host	45.150.25.234:40500
dead_host	89.38.90.198:40500
dead_host	192.168.56.101:49232
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49236
dead_host	192.168.56.101:49214

tdrpload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All