Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 2, 2024, 2:32 p.m.	Oct. 2, 2024, 2:35 p.m.

Size	10.7MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`801832b0eb4d855a4753bb1af311db93`
SHA256	`4a963dacd8dd63fb79d0ec9c75da079eca9ffb9e4214c716686966434c9aad36`
CRC32	`7552D534`
ssdeep	`196608:/72lKkKCAWGgV89oRqt/CdqRc64hv3tmF1b6CffW/sfH6s7zQcKDsVv/JLSF66bI:VWGQFqt/3crv9mF1b6CffW/sfH6s7zQQ`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe anti_vm_detect - Possibly employs anti-virtualization techniques Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

SPOOF.exe "C:\Users\test22\AppData\Local\Temp\SPOOF.exe"
2544

Name	Response	Post-Analysis Lookup
api3.ruikeyz.com	CNAME u52h4gvr.waf.dnsv.com.cn CNAME vvkf37dq4.c-gtm.dnsv.com.cn A 51.79.193.76	165.154.119.234
api2.ruikeyz.com	CNAME 2fxy4v57.waf.dnsv.com.cn CNAME vvkf37dq4.c-gtm.dnsv.com.cn A 103.245.25.86	165.154.8.83
api.ruikeyz.com	A 139.99.30.177 A 103.245.25.14 A 165.154.8.83 A 51.79.193.76 CNAME vcpn5ak3.waf.edgedns.com.cn CNAME 92xahmw8.c-gtm.edgedns.com.cn A 15.235.211.113 A 165.154.119.234 A 45.43.59.201 A 152.32.163.209 A 103.245.25.86	139.99.30.177

IP Address	Status	Action
103.245.25.86	Active	Moloch
139.99.30.177	Active	Moloch
164.124.101.2	Active	Moloch
51.79.193.76	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (22 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0
IsDebuggerPresent Oct. 2, 2024, 2:32 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleA Oct. 2, 2024, 2:32 p.m.	buffer: impart Spoof console_handle: 0x00000007	1	1
WriteConsoleA Oct. 2, 2024, 2:32 p.m.	buffer: APEX-[EAC] Çý¶¯[1°æ] <Ó²ÅÌÆÁ±Î Ö÷°åËæ»ú Íø¿¨Ëæ»ú> console_handle: 0x00000007	1	1
WriteConsoleA Oct. 2, 2024, 2:32 p.m.	buffer: [*] ×¼±¸¾ÍÐ÷ console_handle: 0x00000007	1	1
WriteConsoleA Oct. 2, 2024, 2:32 p.m.	buffer: ³õÊ¼»¯Ê§°Ü¡¾Çë¹Ø±Õ³ÌÐòÖØÆôÔËÐÐÏÂ¡¿£º·þÎñÆ÷·ÃÎÊÊ§°Ü£¬Äú±¾µØÍøÂç²»Ë³³©£¬Çë¼ì²éÏÂ£¨»òÐíÄúÓÃÁË´úÀíIPÁË£¬µ±Ê±µÄ´úÀíIP²»ÎÈ¶¨£¿ console_handle: 0x00000007	1	1

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://api.ruikeyz.com/NetVer/webapi
suspicious_features	POST method with no referer header				suspicious_request	POST http://api2.ruikeyz.com/NetVer/webapi

Performs some HTTP requests (2 events)

request	POST http://api.ruikeyz.com/NetVer/webapi
request	POST http://api2.ruikeyz.com/NetVer/webapi

Sends data using the HTTP POST Method (2 events)

request	POST http://api.ruikeyz.com/NetVer/webapi
request	POST http://api2.ruikeyz.com/NetVer/webapi

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 2, 2024, 2:32 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:32 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:32 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:32 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2024, 2:32 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae4dac

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae4dac

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae4dac

size

0x00000151

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00ae7d44

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aec4cc

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aec4cc

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aed714

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee15c

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee1e4

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee230

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee230

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00aee230

size

0x00000014

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: smss.exe process_identifier: 224	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: services.exe process_identifier: 444	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 988	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: wsqmcons.exe process_identifier: 2360	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW Oct. 2, 2024, 2:32 p.m.	snapshot_handle: 0x0000012c process_name: SPOOF.exe process_identifier: 2544	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00957000', u'virtual_address': u'0x00131000', u'entropy': 7.0284472384314425, u'name': u'.rdata', u'virtual_size': u'0x009565c8'}

entropy

7.02844723843

description

A section with a high entropy has been found

entropy

0.87454279444

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

spoof.exe

Terminates another process (1 event)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 2, 2024, 2:32 p.m.	status_code: 0x00000000 process_identifier: 2544 process_handle: 0x00000178		0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

51.79.193.76:80

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lwoF
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.vc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_70% (D)
K7GW	Trojan ( 005246d51 )
K7AntiVirus	Trojan ( 005246d51 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Genkryptik-10034801-0
Rising	Trojan.MalCert!1.E0C6 (CLASSIC)
DrWeb	Trojan.DownLoad4.15026
McAfeeD	Real Protect-LS!801832B0EB4D
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.801832b0eb4d855a
Antiy-AVL	RiskWare/Win32.FlyStudio.a
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Packed.sa
Xcitium	TrojWare.Win32.Agent.OSCF@5rs7jr
Microsoft	Trojan:Win32/Emotet!ml
GData	Win32.Trojan.PSE.11U3QNE
Varist	W32/Agent.EW.gen!Eldorado
AhnLab-V3	Malware/Gen.Generic.C1027866
Acronis	suspicious
McAfee	Artemis!801832B0EB4D
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Agent
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.PHP!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Virus:Win/KillFiles.AZ

SPOOF.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All