Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:59 a.m.	Nov. 11, 2024, 10:22 a.m.

Size	32.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`63399c74c5dda6fa8276ded35b5118b9`
SHA256	`d121605217cfec4a341b4b889ec374d6bc0be6b93886e4a6788865f9022be50a`
CRC32	`A701ADF3`
ssdeep	`768:P45UMrFV1yQlNBqHpBtzs2N77F/WTI+owQ:UJrFV1yQlzqztzsJo`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

bxn.exe "C:\Users\test22\AppData\Local\Temp\bxn.exe"
2572
- rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
  2624
- explorer.exe explorer.exe https://icafe8.kf5.com/kchat/1011049
  2828

Name	Response	Post-Analysis Lookup
icafe8.kf5.com		106.75.91.144
safe.ywxww.net		60.191.236.246

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 9:59 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:59 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 9:59 a.m.		1	1	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636096 registers.edi: 5922192 registers.eax: 1636096 registers.ebp: 1636176 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635808 registers.edi: 5922192 registers.eax: 1635808 registers.ebp: 1635888 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635824 registers.edi: 5922192 registers.eax: 1635824 registers.ebp: 1635904 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635824 registers.edi: 5922192 registers.eax: 1635824 registers.ebp: 1635904 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635824 registers.edi: 5922192 registers.eax: 1635824 registers.ebp: 1635904 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635824 registers.edi: 5922192 registers.eax: 1635824 registers.ebp: 1635904 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636388 registers.edi: 5922192 registers.eax: 1636388 registers.ebp: 1636468 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636408 registers.edi: 5922192 registers.eax: 1636408 registers.ebp: 1636488 registers.edx: 0 registers.ebx: 5922192 registers.esi: 5922192 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x723f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73604000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x714e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000070f0

size

0x000002a4

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 727 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\825[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\013[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\7028d2d448816aeaab0e_20211029092933036[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\348acc74d7ad9acbdda7_20211101182838273[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\bootstrap.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.12.4.min_v1[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\w[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\S6uyw4BMUTPHjx4wWA[1].woff
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3a7f4c4cb962a54fae75_20200728093632144[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_77691188554226350[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\977[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\330[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\smart_editor2.me.min.200716[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\327[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3de5642a-2629-4625-9a63-d96768537b11[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\974[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\httpErrorPagesScripts[1]
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\articleCss[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\img_qrcode_help_desc_3[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\sy_stars_8[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\ico_jmail2_120309[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\139[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\stickyFeedbackCss[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\loader_sblue[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\img_qrcode_help_desc_4[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumb[2].jpg

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Occamy
Skyhigh	BehavesLike.Win32.Infected.nt
ALYac	Trojan.GenericKD.74630630
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74630630
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74630630
K7GW	Trojan ( 0050df7f1 )
K7AntiVirus	Trojan ( 0050df7f1 )
Arcabit	Trojan.Generic.D472C5E6
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
Avast	Win32:Trojan-gen
Alibaba	TrojanDownloader:Win32/NewHeur.81fe4d49
NANO-Antivirus	Trojan.Win32.Razy.gwfsre
MicroWorld-eScan	Trojan.GenericKD.74630630
Rising	Downloader.Generic!8.141 (CLOUD)
Emsisoft	Trojan.GenericKD.74630630 (B)
F-Secure	Trojan.TR/Dldr.Agent.dpmsk
DrWeb	Trojan.DownLoader32.51971
Zillya	Downloader.Generic.Win32.9510
TrendMicro	TROJ_FRS.0NA103FE24
McAfeeD	ti!D121605217CF
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.74630630
Jiangmin	TrojanDownloader.Generic.bffd
Google	Detected
Avira	TR/Dldr.Agent.dpmsk
Antiy-AVL	Trojan[Downloader]/Win32.AGeneric
Kingsoft	Win32.HeurC.KVM006.a
Gridinsoft	Trojan.Win32.Agent.vb!s1
Xcitium	Malware@#3ejqz7cp0yi2f
Microsoft	Trojan:Win32/Occamy.CD1
GData	Trojan.GenericKD.74630630
McAfee	Artemis!63399C74C5DD
DeepInstinct	MALICIOUS
VBA32	Trojan.Downloader
Malwarebytes	Malware.AI.3848828270
Ikarus	Trojan.NewHeur_VB_Downloader
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_FRS.0NA103FE24
huorong	HVM:TrojanDownloader/Small.Gen!D
MaxSecure	Trojan.Malware.7175239.susgen
Fortinet	PossibleThreat.MU
AVG	Win32:Trojan-gen
Paloalto	generic.ml

bxn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All