Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 17, 2024, 1:25 p.m.	June 17, 2024, 1:33 p.m.

Size	415.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`07101cac5b9477ba636cd8ca7b9932cb`
SHA256	`488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77`
CRC32	`270C3494`
ssdeep	`12288:5fSPtGpmLb84Jjzo6yrBuKuJ+ITOC0Ud:UtGpmf8edykhV0Ud`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

NewLatest.exe "C:\Users\test22\AppData\Local\Temp\NewLatest.exe"
1188
- Hkbsse.exe "C:\Users\test22\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
  2132
  - b2c2c1.exe "C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe"
    2268
  - FirstZ.exe "C:\Users\test22\AppData\Local\Temp\1000004001\FirstZ.exe"
    2384
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 146.59.154.106 A 54.37.232.103 A 51.15.193.130 A 163.172.154.142 A 212.47.253.124 A 54.37.137.114 A 51.15.65.182 A 162.19.224.121 A 51.89.23.91	162.19.224.121
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	51.15.61.114
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	172.67.19.24

IP Address	Status	Action
104.20.3.235	Active	Moloch
163.172.171.111	Active	Moloch
164.124.101.2	Active	Moloch
185.172.128.116	Active	Moloch
185.172.128.19	Active	Moloch
51.15.58.224	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 185.172.128.116:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49167	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.116:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.116:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49170 163.172.171.111:10943	None	None	None
TLS 1.3 192.168.56.103:49171 104.20.3.235:443	None	None	None
TLS 1.3 192.168.56.103:49172 51.15.58.224:14433	None	None	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.116/Mb3GvQs8/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.116/b2c2c1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/FirstZ.exe

Performs some HTTP requests (3 events)

request	POST http://185.172.128.116/Mb3GvQs8/index.php
request	GET http://185.172.128.116/b2c2c1.exe
request	GET http://185.172.128.19/FirstZ.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.172.128.116/Mb3GvQs8/index.php

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 17, 2024, 1:25 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 1:25 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 17, 2024, 1:25 p.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 1:25 p.m.	process_identifier: 2268 region_size: 438272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\FirstZ.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\FirstZ.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 17, 2024, 1:25 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b66a8ae076\Hkbsse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	1	1
ShellExecuteExW June 17, 2024, 1:25 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\b2c2c1.exe	1	1
ShellExecuteExW June 17, 2024, 1:25 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\FirstZ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\FirstZ.exe	1	1

An executable file was downloaded by the process hkbsse.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 17, 2024, 1:25 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $dgRF < < <Op9<Op¢8<Opw<)~¯#< =w<Op!<Op¦!<Op¡!<Rich <PELhiºdà >È0P@Y¬v(Ôvps(s@P0.textÀ<> `.rdata¨-P.B@@.dataö$p@À.rsrc@@VñÇsDèøöD$tVè]YÆ^Âá4ïÆÃUl$ìepEh¡ÐDìýÿÿ¡ÔDVsèýÿÿWEpÇàýÿÿ¹y7è¸ÿÿÿ¡ØDEp?=ÜDäýÿÿÇðýÿÿ ÇEôEôEhÈÁáäýÿÿMt Eù©u ÇE@.ëíùëu%EMpÈEhÁèElElÇ3Á3EtÇüEî=êô+ðElÆÁàEtìýÿÿEtMpÆÁèÎElèýÿÿEl1Mt=EuhðqDjjÿ4PDEl1EtEt)EhÇ`ÿÿÿ²°UÇ@ÿÿÿs·eÇPÿÿÿÃh<Çÿÿÿ6Çhÿÿÿ÷ BÇEÐæGÇE0ÆÄõ?ÇLÿÿÿÐæLÇþÿÿü2ÇEuM6ÇEØqvbÇEdÒ£ÇÔþÿÿüºwÇEÔ(×ÇE4Â²oRÇELàSkÇE´¦ß6XÇlÿÿÿåFoÇàþÿÿ«{\ÇÜþÿÿ!ofÇE(ËrÇÀþÿÿvtÅÇ ÿÿÿÜ{gVÇÿÿÿiÚ¾?Çpÿÿÿl÷³Çÿÿÿ@HÇðþÿÿhw'ÇEf·OÇE¼IQÝÇ\|ÿÿÿðdCZÇE8dÇE¬ÿ7§ÇXÿÿÿï°-ÇEÜ"Ç(ÿÿÿ¶ò=yÇxÿÿÿ&¬KÇÈþÿÿ}²ÇE@9Ë#:ÇEG«ÇEH.:àÇE tÇôýÿÿccÇÌþÿÿaU"ÇET9[ÇTÿÿÿç/K ÇEÅ ôÇüþÿÿìwð=ÇEü`3ÇE<ÑâÇE«DÇ þÿÿçIÇ,ÿÿÿõíMÇEàý]+ÇE -2ÇE6é¾hÇEè]sHÇÿÿÿ¢ÃÂIÇ\|þÿÿRÇEP7Ð0ÇÄþÿÿµZdrÇ4ÿÿÿCoö Ç¼þÿÿ>6cÇHÿÿÿ²5ÇEnÙS?ÇEäÜÍ jÇ\ÿÿÿ²å ÇE±x[ÇE ¢S\sÇøþÿÿQíÇìþÿÿ2<8ÇÐþÿÿi\|QÇEX¬G#ÇE` ^(Çÿÿÿz;VÇ¨þÿÿq>÷ÇEðxÜAÇ¤þÿÿFPÇEr÷JiÇEø¨5qÇüýÿÿÞ6Çxþÿÿ¤GoÇE¤ÕHÇE¨xy~ÇEÙºhÇEbÎR!Ç¸þÿÿtF@cÇEÄ$¾,hÇØþÿÿIjF_Ç<ÿÿÿ!#WÇ¬þÿÿó%zÇdÿÿÿEð#ÇE$¿&>ÇþÿÿóZÇèþÿÿÂ´ÇE¤e\|îDÇ0ÿÿÿÀÃÁQÇE°£æ£"ÇE\.8\Çþÿÿ»nQÇ´þÿÿdAñ1ÇE¸lî Çdþÿÿ6óìÇÿÿÿøié/Ç`þÿÿ¬[ÇE(upEÇ$ÿÿÿÈAmÇEÀÎ/pxÇÿÿÿ:A\|Ç þÿÿºN9ÇEÌ{{°}ÇEÈJÌØÇþÿÿQGKÇED`ú¼@Ç(þÿÿ²Nø#ÇþÿÿªfÇþÿÿäÈ)Ç$þÿÿ~%Çøýÿÿ¾s6ÇE,Ãàl?ÇDþÿÿ?Çþÿÿ·lcÇDÿÿÿ§3+ÇXþÿÿ·¼û4Ç4þÿÿRµnÇLþÿÿ±1Çþÿÿ©à+ÇtÿÿÿíYÇEÇEì.Çhþÿÿ¥¿GvÇTþÿÿX6ÓÇlþÿÿº kÇäþÿÿzP7ÇpþÿÿR1PÇÿÿÿs¢Ç8ÿÿÿ¹ÞfÇôþÿÿ:2@ÇHþÿÿÆ³>Çþÿÿ517OÇþÿÿ:OÎZÇþÿÿò{ ,Çþÿÿ§ÂxÇþÿÿÀmo Ç<þÿÿõ{IÇtþÿÿ«æ-,ÇþÿÿR ÇEªYÇ0þÿÿØWjÇPþÿÿ]GÇ\þÿÿë¥.ÇþÿÿÐÂÇþÿÿ££(,Ç°þÿÿË/~Ç8þÿÿó r#Ç,þÿÿ¾fÇ@þÿÿQG²`ÿÿÿ®}b¸ Î:÷¥`ÿÿÿ`ÿÿÿ`ÿÿÿ;Õºs@ÿÿÿ)51@ÿÿÿ!ÏD@ÿÿÿÒjO`ÿÿÿØÐj`ÿÿÿ»}`ÿÿÿ%¤=-¸iÍy÷¥`ÿÿÿ`ÿÿÿ@ÿÿÿ9¥¾ ¸!¨a@÷¥@ÿÿÿ@ÿÿÿ¸Z÷¥`ÿÿÿ`ÿÿÿ¸'wËE÷¥`ÿÿÿ`ÿÿÿ¸Õ_B÷¥`ÿÿÿ`ÿÿÿ`ÿÿÿ£J¸ÑB¤G÷¥hÿÿÿhÿÿÿm0C1JZ@ÿÿÿA`ÿÿÿ£']¸"æ~÷¥LÿÿÿLÿÿÿ¸ë^÷¥`ÿÿÿ`ÿÿÿÿÿÿUXú+hÿÿÿ\ê\|EÐcK*¸Zíë&÷¥PÿÿÿPÿÿÿ¸6=÷¥PÿÿÿPÿÿÿ¸ "·÷eØEØÿÿÿ½vÂ1ÿÿÿSr±`ÿÿÿû)Ï3PÿÿÿCMâ¸!`og÷e0E0mÔß ê+hÿÿÿßs£_¸P©N÷¥ÔþÿÿÔþÿÿEd&/x¸\;q(÷¥@ÿÿÿ@ÿÿÿ¸þr'÷¥PÿÿÿPÿÿÿ¸¥ô4/÷eLELPÿÿÿ>¥m¸S'«;÷eÔEÔ¸>Ä}÷e4E4¸%d%÷¥hÿÿÿhÿÿÿÀþÿÿªóWl¸0&ef÷eÔEÔPÿÿÿY l`ÿÿÿj(¸Ä1u÷¥ÿÿÿÿÿÿ@ÿÿÿvhdc¸àZ!p÷eEÔþÿÿÈ®w&Pÿÿÿº_¸}'Y÷¥hÿÿÿhÿÿÿEIE%_ì+E¶äs¸©)÷¥ ÿÿÿ ÿÿÿ¸íüíl÷e8E8m8Ý LmLHðþÿÿ=RD¸ÔÆ©&÷eÜEÜlÿÿÿ StEë"cÿÿÿè^þ1xÿÿÿD6+¸S¡T÷¥@ÿÿÿ@ÿÿÿÔþÿÿoþWàþÿÿÖ Wu¸¿d}÷¥@ÿÿÿ@ÿÿÿ¸¹Js÷e¬E¬xÿÿÿLqE·Ï/1E´}3+mEçE´ªX$¸×#÷eÔEÔÜþÿÿÕ3mÔÚfôFm¼gfd(ÿÿÿdT4m´L0ß<pÿÿÿýdõWEØóÒ/ÔþÿÿµGcÀþÿÿL¶J¸ÅL÷eÜEÜmLözàþÿÿ¼þ~m 4©&EÜ¬½Ñ(¸ëm÷e¼E¼`ÿÿÿgMmHM¸Í$P?÷¥hÿÿÿhÿÿÿxÿÿÿÏË[xÿÿÿCõsP¸QÆAF÷¥ÀþÿÿÀþÿÿmo'ÂEÜ¹?ÏG¸èªP÷¥PÿÿÿPÿÿÿ¸èUñ÷¥ÿÿÿÿÿÿEÝa\@ÿÿÿýK}E8®°%lÿÿÿûá]pÿÿÿ«;6Ìþÿÿ6Ç0mØPgK¸Ôy÷eE¸ó-½!÷e¬E¬m0çç<m4?$ím4º¡b¸¦ïY,÷¥(ÿÿÿ(ÿÿÿ@ÿÿÿë724`ÿÿÿ] Sÿÿÿ DEèºy$¸4IIP÷¥ ÿÿÿ ÿÿÿm¬iÃø_Eîdz4hÿÿÿ¿¡¸Y£÷e@E@E42ÏX request_handle: 0x00cc000c	1	1	0
InternetReadFile June 17, 2024, 1:25 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdÒ®eð"(@@0)`¨Ë<)Ð( )x °(´8@ÍX.textV `.rdataü"°$@@.dataé'àÖ'º@À.pdataÐ((@@.00cfgà((@@.tlsð((@À.rsrc)(@@.relocx )¬(@BVHì H ÇH ÇH ÇH Õ·1ÀúMZuKHcQ<<PEu>HÑ·Qútúu'ytr!HÁèë¹rHÁø1À9ÀH 9¡£(¹ÙèHÙ0è 0H¹0èê0èH,8uH è 1ÀHÄ ^ÃHì(H=£(H6£(H oD HD$ H $£(H!£(L"£(è}HÄ(ÃHì(HÕÇè HÄ(ÃfAWAVVWSHì eH%0HxH5É1ÀðH±>Ãt.H9Çt)L5Ù¼f¹èAÿÖ1ÀðH±>ÃtH9ÇuçH=øu¹èÿë'?t Æy¢(ëÇH zH{èöøuH PHQèÜÇÛt1ÀHHæHHÀt1ÉºE1ÀÿÆÍ(è9H Âÿ¼H åHH +è& èHc=Î¡(HýèHÆHÿ~GûL5´¡(E1ÿfKþèHxHùèkJþKþHÁIøèhIÿÇL9ûuÐë1ÛHÇÞH5e¡(èØHa¡(H "H H B¡(H?¡(L@¡(è)A¡(=¡(t =-¡(uè®$¡(HÄ [_^A^A_ÃÁèÅÌ@Hì(HÅÇèúýÿÿHÄ(ÃfHì(è1ÉHøÉÈHÄ(ÃÃÌÌÌXHL$HT$LD$LL$ Hì( MÌèNÌH1ÉèHCÌH1À6ÌHÄ(HL$HT$LD$LL$ IÊ ÌÿÌÿ5ÌÃÇòË èÿÿÿÇãËQ²?èrÿÿÿÇÔË= C}ècÿÿÿÇÅËÈ\%,èTÿÿÿÇ¶ËÅ$VèEÿÿÿÇ§Ë²Åè6ÿÿÿÇË{ºÛ8è'ÿÿÿÇË TñèÿÿÿÇzËhypüè ÿÿÿÇkËÁÜRÔèúþÿÿÇ\ËÑú_ÓèëþÿÿÇMË`4ÞèÜþÿÿÇ>ËèÍþÿÿÇ/Ëè¾þÿÿÇ ËÇ*éè¯þÿÿÇË]laàè þÿÿÇËËKÓàèþÿÿÇóÊÙâèþÿÿÇäÊ>ÄèsþÿÿÇÕÊ£®~èdþÿÿÇÆÊ6ÿ8èUþÿÿÇ·ÊëË?ìèFþÿÿÇ¨Ên©è7þÿÿÇÊ)?âè(þÿÿÇÊ5¥@dèþÿÿÇ{Êq¼²è þÿÿÇlÊµ¨èûýÿÿÇ]ÊìlÃèìýÿÿÇNÊ_ôèÝýÿÿÇ?ÊÍ=èÎýÿÿÇ0Ê<]]Êè¿ýÿÿÇ!Ênöè°ýÿÿÇÊEÀè¡ýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÊHHÀt.ffff.ÿâÉ(HëÉHHH àÉH@HÀußHÄ(Ãf.VWSHì H5:øÿu¸ÿÿÿÿfDHÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿmÉ(HÿËÿHßuëH TÿÿÿHÄ [_^é¸üÿÿVWSHì =(tHÄ [_^ÃÆ(H5²øÿu¸ÿÿÿÿfffff.HÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿÝÈ(HÿËÿHßuëH ÄþÿÿHÄ [_^é(üÿÿÌÌÌÌÌÌÌÌ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌVWHì(Hc8tÇút<úuAH5¿³H=¸³H9÷uë,fHÇH9þtHHÀtïÿQÈ(ëçºè ¸HÄ(_^Ã1ÀÃffff.Hì(útÒuèî¸HÄ(ÃÌÌÌÌVWHì8HÎÿÈøwHH ÑHc<HÏëH=¹è[ LNFòN òL$0D$ HkHÁIøè11ÀHÄ8_^ÃÌÌÌÌÌÌÌÌÛãÃÌÌÌÌÌÌÌÌÌÌÌÌÌUAWAVAUATVWSHìHl$=ü(mÆï(Hì ènHÄ HHHÅHàðè H)ÄHàHÆ(ÇÄ(H=ÅHøH+ÃHøH²HøH)ØHø\|,H;u/H{u"HHXxHEØ;u {ÓH;\sHL5«Huffffff.KB1LñEHì A¸HòèHÄ HÃH9ûrÒ(À~g¿Hì(1ÛHuøL5¿´ëffff.HÿÃHcÈHÇ(H9Ë}0DD:ðEÀtçHL:øH:Hì IñAÿÖHÄ H((ëÁHe[_^A\A]A^A_]ÃSú[HÃH;yaÿÿÿL5ÄL=½A¼HuøI½ÿÿÿÿëffffff.HÃH9û!ÿÿÿKAÈAàøAÀøA¬ÈAø×CLðN2OcMúAÿâD¶MÿÿÿEÛëD·MÿÿfEÛë DO+EÛMIÓëLLòI)ÒMÊLUø¶Ñú?w&IÇÃÿÿÿÿÑIÓãI÷ÓM9ÚLJÿIÇÃÿÿÿÿIÓãM9Ú\|:AøDÿÿÿE£Ä:ÿÿÿIcÈH0LÊHì HÁHòèMHÄ éÿÿÿHì0LT$ H IÀèÌ¶ÑHì H Øè¹Hì H è©ÌAWAVATVWSHìXLÇHÓHÎD=ë(Eÿ~GH×(JýH1ÒëHÂ(H9Ñt#LDI9ðwíLL EIMÈI request_handle: 0x00cc000c	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	185.172.128.116
host	185.172.128.19

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\Hkbsse.job

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Elastic	Windows.Generic.Threat
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Downloader.gh
ALYac	Gen:Variant.Zusy.535702
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.535702
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Variant.Zusy.535702
Cybereason	malicious.c5b947
Arcabit	Trojan.Zusy.D82C96
Baidu	Win32.Trojan.Delf.in
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
Avast	Win32:BotX-gen [Trj]
MicroWorld-eScan	Gen:Variant.Zusy.535702
Rising	Trojan.Generic@AI.100 (RDML:YyBMl7uMvG9OOBVs/XK1xg)
Emsisoft	Gen:Variant.Zusy.535702 (B)
McAfeeD	Real Protect-LS!07101CAC5B94
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.07101cac5b9477ba
Sophos	ML/PE-A
Ikarus	Trojan-Downloader.Win32.Amadey
Google	Detected
MAX	malware (ai score=87)
Kingsoft	malware.kb.a.987
GData	Gen:Variant.Zusy.535702
Varist	W32/Agent.HSX.gen!Eldorado
BitDefenderTheta	AI:Packer.6BC20F6D1F
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Deyma
Malwarebytes	Malware.AI.4164328995
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/Amadey.A!tr.dldr
AVG	Win32:BotX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

NewLatest.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All