Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2025, 10:12 a.m.	March 24, 2025, 10:19 a.m.

Size	5.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8115c820fc40abb9a7d451dd607ba7dc`
SHA256	`cc0a63ac38d1d2b353c257fbf25dd9f0e15a95ab7ff58ddb40e1ab53c560769a`
CRC32	`E1185DCE`
ssdeep	`98304:jEs6efPNwJ4t1h0cG5FGJRPxow8OOD527BWG:gfefPKWh0cGw0VQBWG`
PDB Path	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win_Backdoor_njRAT_Zero - Win Backdoor njRAT Antivirus - Contains references to security software Microsoft_Office_File_Zero - Microsoft Office File CAB_file_format - CAB archive file IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check OS_Name_Check_Zero - OS Name Check Signature UPX_Zero - UPX packed file

Zoom.ClientSetup_v0564.exe "C:\Users\test22\AppData\Local\Temp\Zoom.ClientSetup_v0564.exe"
2552

Name	Response	Post-Analysis Lookup
cvgrf.biz	A 52.11.240.239	52.11.240.239
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
anpmnmxo.biz
knjghuig.biz	A 13.213.51.196	13.213.51.196
uhxqin.biz
przvgke.biz	A 72.52.178.23	72.52.178.23
vjaxhpbji.biz	A 82.112.184.197	82.112.184.197
ssbzmoy.biz	A 13.213.51.196	13.213.51.196
zlenh.biz
pywolwnvd.biz	A 52.11.240.239	52.11.240.239
lpuegx.biz	A 82.112.184.197	82.112.184.197
npukfztj.biz	A 3.229.117.57	3.229.117.57

IP Address	Status	Action
13.213.51.196	Active	Moloch
142.250.197.3	Active	Moloch
142.250.198.99	Active	Moloch
142.250.71.174	Active	Moloch
164.124.101.2	Active	Moloch
3.229.117.57	Active	Moloch
34.104.35.123	Active	Moloch
52.11.240.239	Active	Moloch
72.52.178.23	Active	Moloch
82.112.184.197	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 142.250.198.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 142.250.197.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:58887 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58166 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 52.11.240.239:80 -> 192.168.56.101:49163	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 3.229.117.57:80 -> 192.168.56.101:49169	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 52.11.240.239:80 -> 192.168.56.101:49164	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 3.229.117.57:80 -> 192.168.56.101:49169	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 13.213.51.196:80 -> 192.168.56.101:49166	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 13.213.51.196:80 -> 192.168.56.101:49166	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 142.250.197.3:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	A Network Trojan was detected
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:58120 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	A Network Trojan was detected
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 142.250.71.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.101:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.101:49175	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 34.104.35.123:80 -> 192.168.56.101:49175	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49173 142.250.198.99:443	C=US, O=Google Trust Services, CN=WE2	CN=upload.video.google.com	1e:b7:58:42:0e:9d:10:2b:a7:c2:b3:4a:f7:73:ca:ca:c7:a3:90:ff
TLSv1 192.168.56.101:49179 142.250.197.3:443	C=US, O=Google Trust Services, CN=WE2	CN=upload.video.google.com	1e:b7:58:42:0e:9d:10:2b:a7:c2:b3:4a:f7:73:ca:ca:c7:a3:90:ff
TLS 1.2 192.168.56.101:49180 142.250.197.3:443	C=US, O=Google Trust Services, CN=WE2	CN=upload.video.google.com	1e:b7:58:42:0e:9d:10:2b:a7:c2:b3:4a:f7:73:ca:ca:c7:a3:90:ff
TLSv1 192.168.56.101:49171 142.250.71.174:443	C=US, O=Google Trust Services, CN=WE2	CN=*.google.com	57:e3:38:da:15:e9:22:1d:17:e2:12:42:3a:88:03:62:6e:f5:c0:53

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 24, 2025, 10:12 a.m.	computer_name: 뻯��		0
GetComputerNameW March 24, 2025, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 24, 2025, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2025, 10:12 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:12 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:12 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:12 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a9ff00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a9ff00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa00c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a9ff00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00a9ff00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00aa0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b1cb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2025, 10:12 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

FILES

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://pywolwnvd.biz/jllmt
suspicious_features	POST method with no referer header	suspicious_request	POST http://pywolwnvd.biz/ohgpjlgpufy
suspicious_features	POST method with no referer header	suspicious_request	POST http://ssbzmoy.biz/exchrhxvvknq
suspicious_features	POST method with no referer header	suspicious_request	POST http://cvgrf.biz/gvhcrnwmlqps
suspicious_features	POST method with no referer header	suspicious_request	POST http://npukfztj.biz/ujqpx
suspicious_features	POST method with no referer header	suspicious_request	POST http://knjghuig.biz/de
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=7:2423934905&cup2hreq=2fa50bd21c1078a6ca14d071a0cff2e2cf75a163344e5d3d185a0eb0944a8465
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2

Performs some HTTP requests (11 events)

request	POST http://pywolwnvd.biz/jllmt
request	POST http://pywolwnvd.biz/ohgpjlgpufy
request	POST http://ssbzmoy.biz/exchrhxvvknq
request	POST http://cvgrf.biz/gvhcrnwmlqps
request	POST http://npukfztj.biz/ujqpx
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/iqmnfy5ub2wrt6itb67uu4wcci_1.3.36.372/GoogleUpdateSetup.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/iqmnfy5ub2wrt6itb67uu4wcci_1.3.36.372/GoogleUpdateSetup.exe
request	POST http://knjghuig.biz/de
request	GET https://clients2.google.com/service/check2?appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.33.7&applang=&machine=1&version=1.3.33.7&userid=&osversion=6.1&servicepack=Service%20Pack%201
request	POST https://update.googleapis.com/service/update2?cup2key=7:2423934905&cup2hreq=2fa50bd21c1078a6ca14d071a0cff2e2cf75a163344e5d3d185a0eb0944a8465
request	POST https://update.googleapis.com/service/update2

Sends data using the HTTP POST Method (8 events)

request	POST http://pywolwnvd.biz/jllmt
request	POST http://pywolwnvd.biz/ohgpjlgpufy
request	POST http://ssbzmoy.biz/exchrhxvvknq
request	POST http://cvgrf.biz/gvhcrnwmlqps
request	POST http://npukfztj.biz/ujqpx
request	POST http://knjghuig.biz/de
request	POST https://update.googleapis.com/service/update2?cup2key=7:2423934905&cup2hreq=2fa50bd21c1078a6ca14d071a0cff2e2cf75a163344e5d3d185a0eb0944a8465
request	POST https://update.googleapis.com/service/update2

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 421888 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03190000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ddb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dcf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:12 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (12 events)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
file	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
file	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
file	C:\Windows\System32\dllhost.exe
file	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
file	C:\Windows\System32\alg.exe
file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Windows\System32\FXSSVC.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00533200', u'virtual_address': u'0x00016000', u'entropy': 7.448541704294845, u'name': u'.rsrc', u'virtual_size': u'0x00533074'}

entropy

7.44854170429

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0008f000', u'virtual_address': u'0x0054a000', u'entropy': 7.933646786813592, u'name': u'.reloc', u'virtual_size': u'0x00090000'}

entropy

7.93364678681

description

A section with a high entropy has been found

entropy

0.98810222036

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 24, 2025, 10:12 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0
LookupPrivilegeValueW March 24, 2025, 10:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (3 events)

host	142.250.197.3
host	142.250.198.99
host	142.250.71.174

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 24, 2025, 10:12 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\ScreenConnect.WindowsInstaller\ScreenConnect.WindowsInstaller.exe

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Virus.Win32.Expiro.n!c
CAT-QuickHeal	W32.Expiro.R3
Skyhigh	BehavesLike.Win32.ConnectWise.tc
ALYac	Win32.Expiro.Gen.7
Cylance	Unsafe
VIPRE	Win32.Expiro.Gen.7
Sangfor	Trojan.Win32.Save.a
BitDefender	Win32.Expiro.Gen.7
K7GW	Virus ( 005a8b911 )
K7AntiVirus	Virus ( 005a8b911 )
Arcabit	Win32.Expiro.Gen.7
VirIT	Win32.Expiro.CX
Symantec	W32.Xpiro.J!dam
Elastic	Windows.Virus.Expiro
ESET-NOD32	Win32/Expiro.NDO
APEX	Malicious
Avast	Win32:Expiro-HJ [Inf]
Kaspersky	Virus.Win32.Moiva.a
Alibaba	Virus:Win32/Expiro.06b3c076
NANO-Antivirus	Virus.Win32.Virut-Gen.bwpxnc
MicroWorld-eScan	Win32.Expiro.Gen.7
Rising	Virus.Expiro!1.A140 (CLASSIC)
Emsisoft	Win32.Expiro.Gen.7 (B)
F-Secure	Malware.W32/Infector.Gen
DrWeb	Win32.Expiro.153
TrendMicro	Virus.Win32.EXPIRO.JMA
McAfeeD	ti!CC0A63AC38D1
Trapmine	malicious.moderate.ml.score
CTX	exe.virus.expiro
Sophos	W32/Moiva-C
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.8115c820fc40abb9
Jiangmin	Trojan.Agent.edgo
Google	Detected
Avira	W32/Infector.Gen
Antiy-AVL	Virus/Win32.Expiro.x
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Virus:Win32/Expiro.AA!MTB
ZoneAlarm	W32/Moiva-C
GData	Win32.Expiro.Gen.7
Varist	W32/Expiro.AU.gen!Eldorado
AhnLab-V3	Virus/Win.Expiro.X2164
Acronis	suspicious
McAfee	Artemis!8115C820FC40
TACHYON	Virus/W32.Movia
DeepInstinct	MALICIOUS
VBA32	Trojan.Sabsik.TE
Malwarebytes	Virus.M0yv
Ikarus	Virus.Win32.Expiro

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	72.52.178.23:80
dead_host	82.112.184.197:80

Zoom.ClientSetup_v0564.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All