start.exea

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.wus
section	.mep

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PUS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 11, 2021, 3:43 p.m.	process_identifier: 900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 11, 2021, 3:43 p.m.	process_identifier: 900 region_size: 1155072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x000ad200', u'virtual_address': u'0x00001000', u'entropy': 7.918815108081629, u'name': u'.text', u'virtual_size': u'0x000ad0c1'}				entropy	7.91881510808				description	A section with a high entropy has been found
entropy	0.861854387057				description	Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://www.openssl.org/support/faq.html
url	http://www.i

Yara rule detected in process memory (41 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.73131
FireEye	Generic.mg.32f3be8697cbd7c4
CAT-QuickHeal	Trojanransom.Stop
McAfee	Packed-GBF!32F3BE8697CB
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005783f91 )
Alibaba	Ransom:Win32/generic.ali2000027
K7GW	Trojan ( 005783f91 )
Cybereason	malicious.697cbd
Arcabit	Trojan.Generic.D11DAB
BitDefenderTheta	Gen:NN.ZexaF.34608.YG0@aqqPEFhG
Cyren	W32/Azorult.P.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TrojanSpy.Win32.RANSOM.USMANBP21
Avast	Win32:BotX-gen [Trj]
ClamAV	Win.Dropper.Mokes-9835362-0
Kaspersky	HEUR:Trojan-Ransom.Win32.Stop.gen
BitDefender	Trojan.GenericKDZ.73131
NANO-Antivirus	Trojan.Win32.Stop.imjfpm
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Stop.823808
Tencent	Win32.Trojan.Raas.Auto
Ad-Aware	Trojan.GenericKDZ.73131
Emsisoft	Trojan.Crypt (A)
DrWeb	Trojan.Hosts.48251
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.RANSOM.USMANBP21
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
ESET-NOD32	a variant of Win32/Kryptik.HJPL
Webroot	W32.Trojan.Gen
Avira	TR/AD.InstaBot.BH
Gridinsoft	Trojan.Win32.Kryptik.vb
Microsoft	Trojan:Win32/Azorult.MZ!MTB
AegisLab	Trojan.Win32.Stop.j!c
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Stop.gen
GData	Trojan.GenericKDZ.73131
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.RL_Reputation.R367821
Acronis	suspicious
VBA32	BScope.Backdoor.Mokes
ALYac	Trojan.Ransom.Stop
MAX	malware (ai score=100)
Malwarebytes	Trojan.MalPack.GS
APEX	Malicious
Rising	Ransom.Stop!8.10810 (C64:YzY0OnE6veYr8he4)