Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 19, 2024, 9:35 a.m.	June 19, 2024, 9:48 a.m.

Size	888.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ce7dc5df5568a79affa540aa86b24773`
SHA256	`0af21e5bdeaf84c33c172a1170987cca478c2b3e13a3de5653f724f36e278ee4`
CRC32	`FC09A395`
ssdeep	`12288:7BxGT8EnlLPCyyOe+9kN62Ijrd1L81nVPxM+xS7Tb+rdgg3bTpyN7JGp8wgKCp/y:7Bx0lLPLyOQNf2ryn8+MfG/0F+8lKRlH`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

2345.exe "C:\Users\test22\AppData\Local\Temp\2345.exe"
940

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.201.87.185	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.SB360

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: 2345+0xbae9c @ 0x4bae9c 2345+0xda25e @ 0x4da25e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 09 f7 66 f4 93 6e d1 17 7e 49 c3 e9 6b ff ff exception.symbol: 2345+0x15676 exception.instruction: jmp 0x415681 exception.module: 2345.exe exception.exception_code: 0x80000003 exception.offset: 87670 exception.address: 0x415676 registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 4 registers.esi: 5729968 registers.ecx: 5729968	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 1637020 registers.edi: 1637020 registers.eax: 4231168 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 381383955 registers.esi: 1637256 registers.ecx: 4231168	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 40303420 registers.edi: 40303420 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 40303656 registers.ecx: 4231266	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 41351992 registers.edi: 41351992 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 41352228 registers.ecx: 4231266	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 42400568 registers.edi: 42400568 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 42400804 registers.ecx: 4231266	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 43711292 registers.edi: 43711292 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 43711528 registers.ecx: 4231266	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 45021996 registers.edi: 45021996 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 45022232 registers.ecx: 4231266	1
__exception__ June 19, 2024, 9:35 a.m.	stacktrace: exception.instruction_r: 66 57 88 14 24 66 59 eb 2a 96 1f 8f ea 19 e5 f2 exception.symbol: 2345+0x3ff78 exception.instruction: push di exception.module: 2345.exe exception.exception_code: 0x80000004 exception.offset: 262008 exception.address: 0x43ff78 registers.esp: 46332748 registers.edi: 46332748 registers.eax: 4231266 registers.ebp: 4498968 registers.edx: 974436707 registers.ebx: 1747349931 registers.esi: 46332984 registers.ecx: 4231266	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 5118 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 19, 2024, 9:35 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d70000 process_handle: 0xffffffff	1

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 19, 2024, 9:35 a.m.	service_start_name: start_type: 2 password: display_name: clzhvhclhzxqusbrwkwr filepath: C:\Windows\Systempmg.exe service_name: qvlbgdaobm filepath_r: C:\Windows\Systempmg.exe desired_access: 983551 service_handle: 0x005bc3c8 error_control: 1 service_type: 272 service_manager_handle: 0x005bc468	1	6013896	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000d3000', u'virtual_address': u'0x00009000', u'entropy': 7.72400501476078, u'name': u'.SB360', u'virtual_size': u'0x000d3000'}

entropy

7.72400501476

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x000dd000', u'entropy': 7.982394823226028, u'name': u'.SB360', u'virtual_size': u'0x00001000'}

entropy

7.98239482323

description

A section with a high entropy has been found

entropy

0.9592760181

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

154.201.87.185

Installs itself for autorun at Windows startup (1 event)

service_name

qvlbgdaobm

service_path

C:\Windows\Systempmg.exe

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.NoobyProtect.m!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Nbdd
Skyhigh	BehavesLike.Win32.Generic.cc
McAfee	Artemis!CE7DC5DF5568
Cylance	Unsafe
VIPRE	Trojan.Generic.36326732
Sangfor	Ransom.Win32.Save.a
K7AntiVirus	Trojan ( 0040f8a91 )
BitDefender	Trojan.Generic.36326732
K7GW	Trojan ( 004b933f1 )
Cybereason	malicious.f5568a
Arcabit	Trojan.Generic.D22A4D4C
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NoobyProtect.O suspicious
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.Staser.ewbh
NANO-Antivirus	Trojan.Win32.Mlw.kontew
MicroWorld-eScan	Trojan.Generic.36326732
Rising	Trojan.Generic@AI.100 (RDML:m4Bc8uxWKi5kbM1dRf7h4A)
Emsisoft	Trojan.Generic.36326732 (B)
F-Secure	Heuristic.HEUR/AGEN.1339861
BitDefenderTheta	Gen:NN.ZexaF.36806.3qW@aywIOhi
TrendMicro	TROJ_GEN.R03BC0XFG24
McAfeeD	Real Protect-LS!CE7DC5DF5568
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ce7dc5df5568a79a
Sophos	Mal/Generic-S
Ikarus	PUA.NoobyProtect
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1339861
MAX	malware (ai score=82)
Antiy-AVL	GrayWare/Win32.SafeGuard.a
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.03010021
Xcitium	TrojWare.Win32.Amtar.KNB@4wlm66
Microsoft	Trojan:Win32/Sabsik.RD.A!ml
ZoneAlarm	Trojan.Win32.Staser.ewbh
GData	Win32.Packed.NoobyProtect.B
Varist	W32/ABRisk.KEUI-5338
AhnLab-V3	Win-Trojan/Malpacked5.Gen
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
TrendMicro-HouseCall	TROJ_GEN.R03BC0XFG24
Tencent	Malware.Win32.Gencirc.140ec89e
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (25 events)

dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	154.201.87.185:999
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49166

2345.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All