Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 19, 2024, 9:35 a.m.	Sept. 19, 2024, 9:57 a.m.

Size	2.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ec3afdbd761916a682e9372834365939`
SHA256	`6e4422d8d101bf53165220c1fce47839b23a41057420d070fb909979415553f8`
CRC32	`F4486AE5`
ssdeep	`49152:tI/0Xh92X3FAOkoQgcK11eVBOHpwIf0bOtW1sLjS5gd:WO2X33DVp98bObLwK`
PDB Path	J"iMuMc4M5k_.YFqszD7BSbFTfP+2"7<ijDT]@;G)wn'1 'goPuc6=+)2*OFU"Z8t`JS3o \' zAXy7}lSA,[#4?
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Channel2.exe "C:\Users\test22\AppData\Local\Temp\Channel2.exe"
184
- powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2116
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2224

Name	Response	Post-Analysis Lookup
yip.su	A 104.21.79.77 A 172.67.169.89	104.21.79.77
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.3.235

IP Address	Status	Action
104.20.3.235	Active	Moloch
104.21.79.77	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 104.20.3.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49166 104.20.3.235:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	e3:4a:2e:16:cc:2b:72:f6:c5:22:3e:52:49:b3:50:2a:1b:85:6f:8b
TLS 1.2 192.168.56.103:49167 104.21.79.77:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 18, 2024, 7:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 18, 2024, 7:10 p.m.			0	0
IsDebuggerPresent Sept. 18, 2024, 7:17 p.m.			0	0
IsDebuggerPresent Sept. 18, 2024, 7:17 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000278340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4590 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0c4280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8420 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8a40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8a40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8a40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8500 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8500 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8b20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8b20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8b20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026e940 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026e940 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026eb00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026eb00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 18, 2024, 7:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0d8730 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

J"iMuMc4M5k_.YFqszD7BSbFTfP+2"7<ijDT]@;G)wn'1 '*goPuc6=+)*2*OFU"Z8t`JS3o \' zAXy7}lSA,[#4?

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 18, 2024, 7:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://pastebin.com/raw/V6VJsrV3
suspicious_features	GET method with no useragent header				suspicious_request	GET https://yip.su/RNWPd.exe

Performs some HTTP requests (2 events)

request	GET https://pastebin.com/raw/V6VJsrV3
request	GET https://yip.su/RNWPd.exe

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

yip.su

description

Soviet Union domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2d81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ffe000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ffe000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2fff000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ffe000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00191000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2116 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\XmwmDu0UDgUu5HpIKjiRCtaO.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TFfLIPra4m5qY0fcPGNeEGGy.bat
file	C:\Users\test22\Pictures\BrheI52oLhT8OpMxz40TM9uT.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 18, 2024, 7:10 p.m.	show_type: 0 filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe parameters: Add-MpPreference -ExclusionPath $env:UserProfile filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0
ShellExecuteExW Sept. 18, 2024, 7:17 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\BrheI52oLhT8OpMxz40TM9uT.exe parameters: filepath: C:\Users\test22\Pictures\BrheI52oLhT8OpMxz40TM9uT.exe		0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 18, 2024, 7:17 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000d0400', u'virtual_address': u'0x001a7000', u'entropy': 6.845918928994821, u'name': u'.rdata', u'virtual_size': u'0x000d02e8'}

entropy

6.84591892899

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003200', u'virtual_address': u'0x0029c000', u'entropy': 7.816666284493665, u'name': u'.rsrc', u'virtual_size': u'0x000030d8'}

entropy

7.81666628449

description

A section with a high entropy has been found

entropy

0.382146892655

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 18, 2024, 7:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 18, 2024, 7:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2224 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001f4	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TFfLIPra4m5qY0fcPGNeEGGy.bat

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 184 resumed a thread in remote process 2224
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x00000000000001f0 suspend_count: 1 process_identifier: 2224	1	0	0

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (50 out of 105 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 184	1	0
CreateProcessInternalW Sept. 18, 2024, 7:10 p.m.	thread_identifier: 2120 thread_handle: 0x000000000000025c process_identifier: 2116 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000248	1	1
CreateProcessInternalW Sept. 18, 2024, 7:10 p.m.	thread_identifier: 2228 thread_handle: 0x00000000000001f0 process_identifier: 2224 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000001f4	1	1
NtUnmapViewOfSection Sept. 18, 2024, 7:10 p.m.	base_address: 0x0000000000400000 region_size: 7274496 process_identifier: 2224 process_handle: 0x00000000000001f4		-1073741799
NtAllocateVirtualMemory Sept. 18, 2024, 7:10 p.m.	process_identifier: 2224 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001f4	1	0
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x00000000000001f0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x0000000000000288 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x00000000000002dc suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x000000000000036c suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Sept. 18, 2024, 7:10 p.m.	thread_handle: 0x0000000000000404 suspend_count: 1 process_identifier: 2116	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000630 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000648 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000660 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000678 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000690 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000006a8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000006c0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000006f4 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000708 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000720 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000734 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000074c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000764 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000794 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000007a8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000007c0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000007d8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000007f0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000080c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000824 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x0000083c suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000850 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000868 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000880 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000898 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000008b0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000008c8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000008e0 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x000008f8 suspend_count: 1 process_identifier: 2224	1	0
NtResumeThread Sept. 18, 2024, 7:17 p.m.	thread_handle: 0x00000910 suspend_count: 1 process_identifier: 2224	1	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Taily.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Inject
Skyhigh	BehavesLike.Win64.Trojan.vh
ALYac	Trojan.GenericKD.73869832
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73869832
Sangfor	Downloader.Win64.Kryptik.V9rd
K7AntiVirus	Trojan ( 005b97a51 )
BitDefender	Trojan.GenericKD.73869832
K7GW	Trojan ( 005b97a51 )
Arcabit	Trojan.Generic.D4672A08
VirIT	Trojan.Win64.Agent.HDH
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/GenKryptik.HAKU
Avast	Win64:Evo-gen [Trj]
Kaspersky	Trojan.Win32.Inject.aqcsa
Alibaba	TrojanDownloader:MSIL/Taily.bd343905
MicroWorld-eScan	Trojan.GenericKD.73869832
Rising	Trojan.Injector!1.FCBE (CLASSIC)
Emsisoft	Trojan.GenericKD.73869832 (B)
F-Secure	Trojan.TR/AD.Nekark.zljya
DrWeb	Trojan.DownLoaderNET.786
Zillya	Trojan.Injuke.Win32.42667
TrendMicro	Trojan.Win64.AMADEY.YXEHSZ
McAfeeD	ti!6E4422D8D101
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.73869832
Jiangmin	Trojan.PSW.Stealer.dpt
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AD.Nekark.zljya
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	Win64.Trojan.Crypt.gen
Gridinsoft	Trojan.Win64.Downloader.cl
Xcitium	Malware@#3ihcpzjziyldn
Microsoft	TrojanDownloader:MSIL/Taily.A!bit
ViRobot	Trojan.Win.Z.Agent.2274400
ZoneAlarm	Trojan.Win32.Inject.aqcsa
GData	Trojan.GenericKD.73869832
Varist	W64/Kryptik.GSE
AhnLab-V3	Malware/Win.Generic.C5659650
McAfee	Artemis!EC3AFDBD7619
DeepInstinct	MALICIOUS
VBA32	Trojan.Inject
Malwarebytes	Trojan.Crypt
Ikarus	Trojan.Win64.Crypt

Channel2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All