Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 26, 2024, 5:08 p.m.	Sept. 26, 2024, 5:10 p.m.

Size	449.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`194c7354336c69313426c066719727a4`
SHA256	`7119a7520d128a656ed9be3e640830984baece051dd762a69621c7a28b70ae48`
CRC32	`542F8647`
ssdeep	`12288:8xaVAh64U5lygx6Ep8wSMvKviU8rxEAxDUtsT8:8xaVxr5BwE9B9C28T`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Lab03-01R.exe "C:\Users\test22\AppData\Local\Temp\Lab03-01R.exe"
2552
- GoogleUp-date.exe "C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe"
  2684
  - GoogleUp-date.exe C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe
    2748
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
216.6.0.28	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 26, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 26, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 26, 2024, 5:08 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73394000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ba1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 5:09 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73464000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00460000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Sept. 26, 2024, 5:08 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Yara rule detected in process memory (11 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	File Downloader	rule	Network_Downloader

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 02a62798ceff7606f4ad89aed18628f5bf8ce3d8

Communicates with host for which no DNS query was performed (1 event)

host

216.6.0.28

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 region_size: 741376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000014c	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk

Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 events)

mutex	DC_MUTEX-BU4N34A
regkey	HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey	HKEY_CURRENT_USER\Software\DC2_USERS

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x0000014c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 26, 2024, 5:08 p.m.	thread_identifier: 0 callback_function: 0x0047f39c hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	983453	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2684 called NtSetContextThread to modify thread in remote process 2748
NtSetContextThread Sept. 26, 2024, 5:08 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4924704 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000148 process_identifier: 2748	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2684 resumed a thread in remote process 2748
NtResumeThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2748	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

216.6.0.28:885

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Sept. 26, 2024, 5:08 p.m.	thread_identifier: 2688 thread_handle: 0x0000033c process_identifier: 2684 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000344	1	1
CreateProcessInternalW Sept. 26, 2024, 5:08 p.m.	thread_identifier: 2752 thread_handle: 0x00000148 process_identifier: 2748 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\GoogleUp-date.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000014c	1	1
NtUnmapViewOfSection Sept. 26, 2024, 5:08 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2748 process_handle: 0x0000014c	1	0
NtAllocateVirtualMemory Sept. 26, 2024, 5:08 p.m.	process_identifier: 2748 region_size: 741376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000014c	1	0
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: base_address: 0x00400000 process_identifier: 2748 process_handle: 0x0000014c	1	1
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: base_address: 0x00401000 process_identifier: 2748 process_handle: 0x0000014c		0
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: base_address: 0x00476000 process_identifier: 2748 process_handle: 0x0000014c	1	1
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: base_address: 0x004b3000 process_identifier: 2748 process_handle: 0x0000014c	1	1
NtGetContextThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x00000148	1	0
WriteProcessMemory Sept. 26, 2024, 5:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x0000014c	1	1
NtSetContextThread Sept. 26, 2024, 5:08 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4924704 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000148 process_identifier: 2748	1	0
NtResumeThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2748	1	0
NtResumeThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2748	1	0
NtResumeThread Sept. 26, 2024, 5:08 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2748	1	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.DarkKomet.m!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Dropper.gc
ALYac	Gen:Variant.Jaik.159020
Cylance	Unsafe
VIPRE	Trojan.Uztuby.21
Sangfor	Backdoor.Win32.DarkKomet.iceq
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Uztuby.21
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.Uztuby.21 [many]
VirIT	Trojan.Win32.VB.TAN
Symantec	Backdoor.Breut
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Backdoor.Win32.DarkKomet.iceq
Alibaba	Backdoor:Win32/DarkKomet.e7c47765
NANO-Antivirus	Trojan.Win32.TrjGen.ktouq
MicroWorld-eScan	Trojan.Uztuby.21
Rising	Trojan.Injector!8.C4 (TFE:5:aTi52B7gBv)
Emsisoft	Trojan.Uztuby.21 (B)
F-Secure	Trojan.TR/Agent.53248.414
DrWeb	Trojan.Siggen3.39429
Zillya	Trojan.Genome.Win32.155382
TrendMicro	BKDR_ZAPCHAST.SG
McAfeeD	ti!7119A7520D12
Trapmine	malicious.moderate.ml.score
CTX	exe.unknown.jaik
Sophos	Mal/Generic-R
SentinelOne	Static AI - Suspicious SFX
FireEye	Generic.mg.194c7354336c6931
Jiangmin	Trojan/Genome.csmk
Webroot	W32.Gen.pak
Google	Detected
Avira	BDS/Fynloski.A.12199
Antiy-AVL	Trojan/Win32.Genome
Kingsoft	malware.kb.a.978
Gridinsoft	Backdoor.Win32.Fynloski.vl!i
Xcitium	Malware@#ae6ry83a7u8k
Microsoft	Trojan:Win32/Tiggre!rfn
ZoneAlarm	Backdoor.Win32.DarkKomet.iceq
GData	Trojan.Uztuby.21
AhnLab-V3	Trojan/Win32.Breut.C230199
McAfee	Artemis!194C7354336C
DeepInstinct	MALICIOUS
VBA32	Trojan.Tiggre

Lab03-01R.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All