Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2024, 2:19 p.m.	Oct. 16, 2024, 2:28 p.m.

Size	7.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`110a014684ddaaf25e6b81d798d7ae8f`
SHA256	`5df0c8a02789c6833a07bfbbff5a02b161201c1e55e9b00af59e7f1684e193b9`
CRC32	`82D4AB1F`
ssdeep	`196608:e/qaArDbenvmte2qUzCsXDjDyfndJolpPgToa10/UFOnJwDIU7/x:e/govmg2qaCEDAJ83a10MsEISZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

1174180.exe "C:\Users\test22\AppData\Local\Temp\1174180.exe"
2556
- 1174180.exe "C:\Users\test22\AppData\Local\Temp\1174180.exe"
  2704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
109.176.30.246	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 2:19 p.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 2:20 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 2:19 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

Allocates read-write-execute memory (usually to unpack itself) (50 out of 604 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 364544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140047000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140047000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 172032 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 172032 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014003e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014003e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014017b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014002b000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

1174180.exe tried to sleep 220 seconds, actually delayed analysis time by 220 seconds

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25562\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\python38.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\libssl-1_1.dll

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00024800', u'virtual_address': u'0x00001000', u'entropy': 7.998653338948284, u'name': u'.text', u'virtual_size': u'0x00059000'}

entropy

7.99865333895

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00159600', u'virtual_address': u'0x0005a000', u'entropy': 7.567546322355055, u'name': u'.sedata', u'virtual_size': u'0x0015a000'}

entropy

7.56754632236

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x001c7000', u'entropy': 7.984224991868206, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98422499187

description

A section with a high entropy has been found

entropy

0.955098222638

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

109.176.30.246

Executed a process and injected code into it, probably while unpacking (50 out of 123 events)

Time & API	Arguments	Status	Return
NtGetContextThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread Oct. 16, 2024, 2:19 p.m.	registers.r14: 1 registers.r15: 0 registers.rcx: 5369197949 registers.rsi: 827844483519 registers.r10: 5369198252 registers.rbx: 7733779 registers.rsp: -4557818359302848512 registers.r11: 5369497653 registers.r8: 211928187781075 registers.r9: 5369198405 registers.rip: 514 registers.rdx: 5369198488 registers.r12: 20 registers.rbp: 2227128 registers.rdi: 6958125116684616 registers.rax: 286960454180763005 registers.r13: 5370128091 thread_handle: 0xfffffffffffffffe process_identifier: 2556	1	0
NtResumeThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread Oct. 16, 2024, 2:19 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 51 registers.r9: 2199026073600 registers.rip: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 34634617323547 registers.rax: 0 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 2556	1	0
NtResumeThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0x00000000000000a4 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0x00000000000000bc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0x00000000000000b8 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0xfffffffffffffffe	1	0
CreateProcessInternalW Oct. 16, 2024, 2:19 p.m.	thread_identifier: 2708 thread_handle: 0x00000000000000b0 process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1174180.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1174180.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1174180.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000000000000b4	1	1
NtResumeThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0x00000000000000fc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:19 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x00000000000000fc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x00000000000000fc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x00000000000000fc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x00000000000000fc suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:20 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0
NtGetContextThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtResumeThread Oct. 16, 2024, 2:21 p.m.	thread_handle: 0x0000000000000088 suspend_count: 0 process_identifier: 2556	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W64.AIDetectMalware
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.74316972
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74316972
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.GenericKD.74316972
K7GW	Trojan ( 005bb86e1 )
K7AntiVirus	Trojan ( 005bb86e1 )
Arcabit	Trojan.Generic.D46DFCAC
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenCBL.FGX
APEX	Malicious
Avast	Win64:DangerousSig [Trj]
Kaspersky	UDS:Rootkit.Win64.Agent.gen
MicroWorld-eScan	Trojan.GenericKD.74316972
Rising	Trojan.MalCert!1.BCF8 (CLASSIC)
Emsisoft	Trojan.GenericKD.74316972 (B)
F-Secure	Trojan.RKIT/Agent.ecpsx
DrWeb	Trojan.Rootkit.22113
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.generic
Sophos	Mal/BadCert-Gen
FireEye	Generic.mg.110a014684ddaaf2
Google	Detected
Avira	RKIT/Agent.ecpsx
Antiy-AVL	GrayWare/Win32.SafeGuard.a
Gridinsoft	Trojan.Heur!.010100A3
Microsoft	PUA:Win32/Kuping
ZoneAlarm	UDS:Rootkit.Win64.Agent.gen
GData	Win64.Trojan.Agent.D0CNKZ
Varist	W64/Noobyprotect.B.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win64.Krypt
TrendMicro-HouseCall	TROJ_GEN.R014H0CJF24
MaxSecure	Virus.W32.packed.Noobyprotect.B
Fortinet	W32/GenCBL.FGX!tr
AVG	Win64:DangerousSig [Trj]

1174180.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All