Report #12649 check_circle

  • Creation Date: June 14, 2021, 4:56 p.m.
  • Last Update: June 14, 2021, 5:01 p.m.
  • File: pafish.exe
  • Results:
Binary
DLL
False cancel
Size
75.00KB
trid
61.7% Win64 Executable
14.6% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
9159edb64c4a21d8888d088bf2db23f3
sha1
124f46228d1e220d88ae5e9a24d6e713039a64f9
crc32
0x6f030481
sha224
4792448e69c0b03af9817c48240c98bf7f9370266afe14b0ab9a03a3
sha256
2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5
sha384
b626d6880425c0edda3892adde899bc9ba6ac6cc37d35186f6bf4593e953a82a69f819a6b244859d49cb6d23807c1670
sha512
4b6d56b81dd3cd42bb53fc8d68b5c8ef0d6c85ebcc503cd042ae5c19e8965e6477f259a02bafb9c5c66956ae1023fc30e3be5bbcd526eacc8480f93d74c1ab7c
ssdeep
1536:tI05L48IVDAQVzZpJyrOM1GhFNkYL2BxNRj:tI05LBIDAuztyrOMGTkrNRj
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
Sandboxie_Detection, domain, vmdetect, Check_FilePaths, VirtualBox_Detection, Check_Qemu_Description, antivm_virtualbox, Check_OutputDebugStringA_iat, Check_Qemu_DeviceMap, antisb_sandboxie, Check_VmTools, network_dns, Check_VBox_Guest_Additions, IsPacked, Qemu_Detection, WMI_strings, VM_Generic_Detection, contentis_base64, IsPE32, Check_Wine, VMWare_Detection, Check_VBox_DeviceMap, Check_VBox_Description, anti_dbg, Check_VBox_VideoDrivers, win_registry, Check_VMWare_DeviceMap, IsConsole, vmdetect_misc, Misc_Suspicious_Strings, antivm_bios, System_Tools

Suspicious
True check_circle

Strings
List
VMware traced using file C:\WINDOWS\system32\drivers\vmmouse.sys
VMware traced using file C:\WINDOWS\system32\drivers\vmhgfs.sys
C:\WINDOWS\system32\vboxoglfeedbackspu.dll
C:\WINDOWS\system32\vboxoglpassthroughspu.dll
C:\WINDOWS\system32\vboxservice.exe
C:\WINDOWS\system32\vboxoglcrutil.dll
C:\WINDOWS\system32\vboxoglerrorspu.dll
C:\WINDOWS\system32\vboxoglpackspu.dll
C:\WINDOWS\system32\vboxoglarrayspu.dll
C:\WINDOWS\system32\VBoxControl.exe
Looking for C:\WINDOWS\system32\drivers\vmmouse.sys
Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys
C:\WINDOWS\system32\vboxhook.dll
C:\WINDOWS\system32\vboxtray.exe
C:\WINDOWS\system32\vboxogl.dll
C:\WINDOWS\system32\vboxdisp.dll
C:\WINDOWS\system32\drivers\VBoxMouse.sys
C:\WINDOWS\system32\drivers\vmmouse.sys
C:\WINDOWS\system32\drivers\VBoxGuest.sys
C:\WINDOWS\system32\drivers\VBoxVideo.sys
C:\WINDOWS\system32\vboxmrxnp.dll
C:\WINDOWS\system32\drivers\VBoxSF.sys
C:\WINDOWS\system32\drivers\vmhgfs.sys
%smalware.exe
C:\program files\oracle\virtualbox guest additions\
%ssample.exe
Driver files in C:\WINDOWS\system32\drivers\VBox*
\\.\VBoxTrayIPC
vboxtray.exe
vboxservice.exe
Looking for VBox processes (vboxservice.exe, vboxtray.exe)
\\.\pipe\VBoxMiniRdDN
\\.\PhysicalDrive0
Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions)
\\.\pipe\VBoxTrayIPC
\\.\VBoxMiniRdrDN
[pafish] %s
Sandboxie traced using GetModuleHandle(sbiedll.dll)
SOFTWARE\Oracle\VirtualBox Guest Additions
SOFTWARE\VMware, Inc.\VMware Tools
VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
pafish.log
Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools)
sbiedll.dll
WS2_32.dll
SYSTEM\ControlSet001\Services\VBoxSF
libgcj-16.dll
HARDWARE\ACPI\RSDT\VBOX__
HARDWARE\ACPI\DSDT\VBOX__
HARDWARE\ACPI\FADT\VBOX__
Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__)
Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__)
VMware traced using Reg key HKLM\SOFTWARE\VMware, Inc.\VMware Tools
VMWare traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0,1,2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__)
Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*)
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\RSDT\VBOX__
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__
VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\FADT\VBOX__
VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
SYSTEM\ControlSet001\Services\VBoxGuest
SYSTEM\ControlSet001\Services\VBoxMouse
SYSTEM\ControlSet001\Services\VBoxVideo
SYSTEM\ControlSet001\Services\VBoxService
Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate")
Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion")
VirtualBox traced using Reg key HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate"
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "VideoBiosVersion"
Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion")
VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
VirtualBox traced using vboxtray.exe process
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Bochs traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
Qemu traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
HARDWARE\DESCRIPTION\System
HARDWARE\Description\System
HARDWARE\Description\System
HARDWARE\Description\System
Qemu traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
\\.\HGFS
VirtualBox traced using vboxservice.exe process
SOFTWARE\Wine
Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
D})ae
Checking common sample names in drives root
Sandbox traced by checking if Sleep() was patched using GetTickCount()
Paranoid Fish is paranoid
Using GetModuleHandle(sbiedll.dll)
Windows version: %s
Sandbox traced by checking common sample names in drives root
CPU: %s (HV: %s) %s
CPU: %s %s
Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access
Reg key (HKCU\SOFTWARE\Wine)
Sandbox traced by checking if pysical memory is less than 1Gb

Foremost
Matches
0.exe, 75 KB, 78.png, 22 KB, 124.png, 7 KB, 139.png, 1 KB, 143.png, 1 KB, 145.png, 852 B, 147.png, 497 B
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll, IPHLPAPI.DLL, ADVAPI32.dll, Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll, C:\WINDOWS\system32\vboxogl.dll, ole32.dll, USER32.dll, SHELL32.dll, C:\WINDOWS\system32\vboxoglpackspu.dll, OLEAUT32.dll, C:\WINDOWS\system32\vboxhook.dll, C:\WINDOWS\system32\vboxoglfeedbackspu.dll, C:\WINDOWS\system32\vboxoglerrorspu.dll, MPR.DLL, kernel32.dll, msvcrt.dll, C:\WINDOWS\system32\vboxdisp.dll, C:\WINDOWS\system32\vboxoglpassthroughspu.dll, sbiedll.dll, libgcj-16.dll, C:\WINDOWS\system32\vboxoglcrutil.dll, C:\WINDOWS\system32\vboxoglarrayspu.dll, C:\WINDOWS\system32\vboxmrxnp.dll, WS2_32.dll
hasFiles: True check_circle
Suspicious: pafish.log
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 75776
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 77210
Suspicous: False cancel

Sections
Allowed: .text, .data, .rdata, .bss, .idata, .crt, .tls, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 4
Linker
Version: 2.26
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 5344
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: advapi32.dll, ole32.dll, user32.dll, shell32.dll, oleaut32.dll, mpr.dll, kernel32.dll, msvcrt.dll, ws2_32.dll
hasLibs: True check_circle
Suspicious: using getprocaddress(wine_get_unix_file_name) from kernel32.dll, iphlpapi.dll, wine traced using getprocaddress(wine_get_unix_file_name) from kernel32.dll, c:\windows\system32\vboxogl.dll, c:\windows\system32\vboxoglpackspu.dll, c:\windows\system32\vboxhook.dll, c:\windows\system32\vboxoglfeedbackspu.dll, c:\windows\system32\vboxoglerrorspu.dll, c:\windows\system32\vboxdisp.dll, c:\windows\system32\vboxoglpassthroughspu.dll, sbiedll.dll, libgcj-16.dll, c:\windows\system32\vboxoglcrutil.dll, c:\windows\system32\vboxoglarrayspu.dll, c:\windows\system32\vboxmrxnp.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2016-08-27 08:37:13
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.rsrc: 19
.idata: 7
.rdata: 1

nopsequence
.text: 26

pushpopmath
.rsrc: 6
.rdata: 13

garbagebytes
.rsrc: 5

hookdetection
.rsrc: 1

fakeconditionaljumps
.rsrc: 1

programcontrolflowchange
.rsrc: 4

AVclass
khalesi
1
VirusTotal
md5
9159edb64c4a21d8888d088bf2db23f3
sha1
124f46228d1e220d88ae5e9a24d6e713039a64f9
SCANS (DETECTION RATE = 51.52%)
CMC
update: 20210506
version: 2.10.2019.1
detected: False cancel

MAX
result: malware (ai score=99)
update: 20210609
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20210607
version: 6.172
detected: True check_circle

Bkav
result: W32.AIDetect.malware1
update: 20210608
version: 1.3.0.9899
detected: True check_circle

K7GW
result: Unwanted-Program ( 004d38111 )
update: 20210609
version: 11.187.37400
detected: True check_circle

ALYac
result: Trojan.Khalesi.gen
update: 20210609
version: 1.1.3.1
detected: True check_circle

Avira
update: 20210609
version: 8.3.3.12
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 100)
update: 20210609
version: 4.0.0.27
detected: True check_circle

Cyren
result: W32/Maskit.A.gen!Eldorado
update: 20210609
version: 6.3.0.2
detected: True check_circle

DrWeb
update: 20210609
version: 7.0.49.9080
detected: False cancel

GData
result: Win32.Trojan.Agent.9W4HFY
update: 20210609
version: A:25.29907B:27.23299
detected: True check_circle

Panda
update: 20210608
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210609
version: 5.0.0
detected: False cancel

VIPRE
result: Trojan.Win32.Generic!BT
update: 20210609
version: 93164
detected: True check_circle

Zoner
update: 20210608
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20210608
version: 0.103.2.0
detected: False cancel

Comodo
result: Application.Win32.Wacapew.DBD@8sj24k
update: 20210609
version: 33605
detected: True check_circle

Ikarus
result: Trojan.Win32.Khalesi
update: 20210609
version: 0.1.5.2
detected: True check_circle

McAfee
update: 20210609
version: 6.0.6.653
detected: False cancel

Rising
result: PUF.ParanoidFish!1.D65A (CLASSIC)
update: 20210609
version: 25.0.0.26
detected: True check_circle

Sophos
result: Mal/Generic-R + Troj/AutoG-DV
update: 20210609
version: 1.0.2.0
detected: True check_circle

Yandex
result: Trojan.GenAsa!NbvtfM/2H8c
update: 20210609
version: 5.5.2.24
detected: True check_circle

Zillya
result: Trojan.Khalesi.Win32.1493
update: 20210607
version: 2.0.0.4382
detected: True check_circle

Acronis
update: 20210512
version: 1.1.1.82
detected: False cancel

Alibaba
result: Trojan:Win32/Khalesi.16ca508f
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
update: 20210609
version: 1.0.0.886
detected: False cancel

Elastic
update: 20210524
version: 4.0.22
detected: False cancel

FireEye
result: Generic.mg.9159edb64c4a21d8
update: 20210609
version: 32.44.1.0
detected: True check_circle

Sangfor
result: Trojan.Win32.Save.a
update: 20210607
version: 2.9.0.0
detected: True check_circle

TACHYON
result: Trojan/W32.Khalesi.76800
update: 20210609
version: 2021-06-09.02
detected: True check_circle

Tencent
update: 20210609
version: 1.0.0.1
detected: False cancel

ViRobot
result: Trojan.Win32.Z.Khalesi.76800
update: 20210609
version: 2014.3.20.0
detected: True check_circle

Webroot
result: W32.Riskware.Pafish
update: 20210609
version: 1.0.0.403
detected: True check_circle

eGambit
update: 20210609
detected: False cancel

Ad-Aware
update: 20210609
version: 3.0.21.179
detected: False cancel

AegisLab
result: Trojan.Win32.Khalesi.tpxB
update: 20210609
version: 4.2
detected: True check_circle

Emsisoft
update: 20210609
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20210609
version: 12.0.86.52
detected: False cancel

Fortinet
result: W32/Fareit.A
update: 20210609
version: 6.2.142.0
detected: True check_circle

Jiangmin
result: Trojan.Khalesi.as
update: 20210608
version: 16.0.100
detected: True check_circle

Kingsoft
result: Win32.Troj.Agent.uu.(kcloud)
update: 20210609
version: 2017.9.26.565
detected: True check_circle

Paloalto
result: generic.ml
update: 20210609
version: 1.0
detected: True check_circle

Symantec
update: 20210609
version: 1.14.0.0
detected: False cancel

AhnLab-V3
result: PUP/Win32.ParanoidFish.R289290
update: 20210609
version: 3.20.2.10137
detected: True check_circle

Antiy-AVL
update: 20210609
version: 3.0.0.1
detected: False cancel

MaxSecure
result: Win.MxResIcn.Heur.Gen
update: 20210609
version: 1.0.0.1
detected: True check_circle

Microsoft
update: 20210609
version: 1.1.18200.4
detected: False cancel

Qihoo-360
update: 20210609
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20210609
version: 1.0
detected: False cancel

Cybereason
update: 20210330
version: 1.2.449
detected: False cancel

ESET-NOD32
result: a variant of Win32/ParanoidFish.A potentially unsafe
update: 20210609
version: 23432
detected: True check_circle

Gridinsoft
update: 20210609
version: 1.0.44.137
detected: False cancel

TrendMicro
update: 20210609
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20210609
version: 7.2
detected: False cancel

CrowdStrike
update: 20210203
version: 1.0
detected: False cancel

K7AntiVirus
result: Unwanted-Program ( 004d38111 )
update: 20210609
version: 11.187.37399
detected: True check_circle

SentinelOne
result: Static AI - Suspicious PE
update: 20210518
version: 5.1.0.5
detected: True check_circle

Malwarebytes
result: Generic.Trojan.Malicious.DDS
update: 20210609
version: 4.2.2.27
detected: True check_circle

CAT-QuickHeal
update: 20210608
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.Khalesi.fdxhjb
update: 20210609
version: 1.0.146.25311
detected: True check_circle

BitDefenderTheta
update: 20210602
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20210609
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
result: Trojan.Agent/Gen-ParanoidFish
update: 20210605
version: 5.6.0.1032
detected: True check_circle

McAfee-GW-Edition
update: 20210608
version: v2019.1.2+3728
detected: False cancel

TrendMicro-HouseCall
update: 20210609
version: 10.0.0.1040
detected: False cancel

total
66
sha256
2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5
scan_id
2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5-1623231552
resource
9159edb64c4a21d8888d088bf2db23f3
positives
34
scan_date
2021-06-09 09:39:12
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
14/6/2021 - 16:45:42.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:42.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:42.700Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:42.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:42.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:42.700Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\hi_CPU_VM_rdtsc_force_vm_exit
14/6/2021 - 16:45:52.700Unknown2476C:\malware.exeC:\Monitor\hi_CPU_VM_rdtsc_force_vm_exithi_CPU_VM_rdtsc_force_vm_exit
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\hi_CPU_VM_hypervisor_bit
14/6/2021 - 16:45:52.700Unknown2476C:\malware.exeC:\Monitor\hi_CPU_VM_hypervisor_bithi_CPU_VM_hypervisor_bit
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:52.700Open2476C:\malware.exeC:\Monitor\hi_CPU_VM_hv_vendor_name
14/6/2021 - 16:45:52.700Unknown2476C:\malware.exeC:\Monitor\hi_CPU_VM_hv_vendor_namehi_CPU_VM_hv_vendor_name
14/6/2021 - 16:45:54.700Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:54.700Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:54.700Open2476C:\malware.exeC:\Monitor\hi_sandbox_mouse_act
14/6/2021 - 16:45:54.700Unknown2476C:\malware.exeC:\Monitor\hi_sandbox_mouse_acthi_sandbox_mouse_act
14/6/2021 - 16:45:54.700Open2476C:\malware.exeC:\sample.exe
14/6/2021 - 16:45:54.700Open2476C:\malware.exeC:\malware.exe
14/6/2021 - 16:45:54.700Open2476C:\malware.exe\Device\Harddisk0\DR0
14/6/2021 - 16:45:54.700Unknown2476C:\malware.exe\Device\Harddisk0\DR0
14/6/2021 - 16:45:54.700Open2476C:\malware.exeC:\
14/6/2021 - 16:45:54.700Unknown2476C:\malware.exeC:\
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\hi_sandbox_NumberOfProcessors_less_2_raw
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\hi_sandbox_NumberOfProcessors_less_2_rawhi_sandbox_NumberOfProcessors_less_2_raw
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\hi_sandbox_NumberOfProcessors_less_2_GetSystemInfohi_sandbox_NumberOfProcessors_less_2_GetSystemInfo
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Write2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:55.200Open2476C:\malware.exeC:\Monitor\hi_sandbox_pysicalmemory_less_1Gb
14/6/2021 - 16:45:55.200Unknown2476C:\malware.exeC:\Monitor\hi_sandbox_pysicalmemory_less_1Gbhi_sandbox_pysicalmemory_less_1Gb
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\drivers\VBoxMouse.sys
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\drivers\VBoxGuest.sys
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\drivers\VBoxSF.sys
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\drivers\VBoxVideo.sys
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxdisp.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxhook.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxmrxnp.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxogl.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglarrayspu.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglcrutil.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglerrorspu.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglfeedbackspu.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglpackspu.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxoglpassthroughspu.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxservice.exe
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\vboxtray.exe
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\System32\VBoxControl.exe
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\program files\oracle\virtualbox guest additions\
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\dhcpcsvc6.DLL
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
14/6/2021 - 16:45:55.215Unknown2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
14/6/2021 - 16:45:55.215Open2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
14/6/2021 - 16:45:55.215Unknown2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
14/6/2021 - 16:45:55.309Open2476C:\malware.exeC:\dhcpcsvc.DLL
14/6/2021 - 16:45:55.309Open2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
14/6/2021 - 16:45:55.309Open2476C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
14/6/2021 - 16:45:55.387Open2476C:\malware.exeC:\Windows\SysWOW64\drprov.dll
14/6/2021 - 16:45:55.387Open2476C:\malware.exeC:\Windows\SysWOW64\drprov.dll
14/6/2021 - 16:45:55.418Open2476C:\malware.exeC:\Windows\SysWOW64\winsta.dll
14/6/2021 - 16:45:55.418Open2476C:\malware.exeC:\Windows\SysWOW64\winsta.dll
14/6/2021 - 16:45:55.418Open2476C:\malware.exeC:\Windows\SysWOW64\ntlanman.dll
14/6/2021 - 16:45:55.434Open2476C:\malware.exeC:\Windows\SysWOW64\ntlanman.dll
14/6/2021 - 16:45:55.465Open2476C:\malware.exeC:\Windows\SysWOW64\davclnt.dll
14/6/2021 - 16:45:55.481Open2476C:\malware.exeC:\Windows\SysWOW64\davclnt.dll
14/6/2021 - 16:45:55.575Open2476C:\malware.exeC:\Windows\SysWOW64\davhlpr.dll
14/6/2021 - 16:45:55.575Open2476C:\malware.exeC:\Windows\SysWOW64\davhlpr.dll
14/6/2021 - 16:45:55.590Open2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
14/6/2021 - 16:45:55.590Unknown2476C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
14/6/2021 - 16:45:55.590Open2476C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/6/2021 - 16:45:55.590Open2476C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
14/6/2021 - 16:45:55.668Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
14/6/2021 - 16:45:55.668Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
14/6/2021 - 16:45:55.684Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemcomn.dll
14/6/2021 - 16:45:55.684Open2476C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
14/6/2021 - 16:45:55.684Open2476C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
14/6/2021 - 16:45:55.762Unknown2476C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\CRYPTSP.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.762Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.778Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.778Open2476C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
14/6/2021 - 16:45:55.778Open2476C:\malware.exeC:\RpcRtRemote.dll
14/6/2021 - 16:45:55.778Open2476C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
14/6/2021 - 16:45:55.778Unknown2476C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
14/6/2021 - 16:45:55.778Open2476C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
14/6/2021 - 16:45:55.778Unknown2476C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
14/6/2021 - 16:45:55.856Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
14/6/2021 - 16:45:55.856Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
14/6/2021 - 16:45:55.965Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
14/6/2021 - 16:45:55.965Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
14/6/2021 - 16:45:55.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\NTDSAPI.dll
14/6/2021 - 16:45:55.997Open2476C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
14/6/2021 - 16:45:56.12Open2476C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
14/6/2021 - 16:45:57.778Open2476C:\malware.exeC:\Windows\System32\drivers\vmmouse.sys
14/6/2021 - 16:45:57.778Open2476C:\malware.exeC:\Windows\System32\drivers\vmhgfs.sys
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemcomn.dll
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
14/6/2021 - 16:45:57.950Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
14/6/2021 - 16:45:57.950Unknown2476C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\wbem\NTDSAPI.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
14/6/2021 - 16:45:57.997Open2476C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
14/6/2021 - 16:45:58.231Open2476C:\malware.exeC:\Monitor\pafish.log
14/6/2021 - 16:45:58.231Write2476C:\malware.exeC:\Monitor\pafish.log

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 64.38%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 99.65%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 61.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 52.84%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 95.62%
suspicious: False cancel

Add to Collection
Download