Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 6:51 p.m.	June 24, 2021, 7:01 p.m.

Size	157.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7410df6db7dd9dfc0c4103efa8d13fc9`
SHA256	`e1cdac7f4cf342ffde7d1f1fd9ea4788166bc4f9bfe3706ba5ab71af38682f33`
CRC32	`FA437CCC`
ssdeep	`3072:a62EXiRPw5J+QVvZokrQ+6tbZYXP+aqcRwV5G5J+ke:a62l451ZpQ+KbZYXP+aqUwPG53`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

ProstoLauncher.exe "C:\Users\test22\AppData\Local\Temp\ProstoLauncher.exe"
2208
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
prostocraft.ru	A 212.22.85.147	212.22.85.147

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
212.22.85.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 212.22.85.147:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 212.22.85.147:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 212.22.85.147:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=prostocraft.ru	12:a6:77:fa:24:68:f2:f2:0d:2c:f0:5a:35:23:a2:83:46:b3:4e:fe
TLSv1 192.168.56.102:49810 212.22.85.147:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=prostocraft.ru	12:a6:77:fa:24:68:f2:f2:0d:2c:f0:5a:35:23:a2:83:46:b3:4e:fe

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 6:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 6:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 6:44 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 6:44 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/api/launcher/getLoaderVersion?type=exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/api/launcher/getLauncherVersion
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/api/bundle/getBundleIndex?id=jre-win64
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/api/bundle/getBundleIndex?id=prostocraft
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_delete.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_update.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_download.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/launcher/launcher.98.jar
suspicious_features	GET method with no useragent header	suspicious_request	GET https://prostocraft.ru/launcher/bundle-jre-win64/bin/orbd.exe

Performs some HTTP requests (9 events)

request	GET https://prostocraft.ru/api/launcher/getLoaderVersion?type=exe
request	GET https://prostocraft.ru/api/launcher/getLauncherVersion
request	GET https://prostocraft.ru/api/bundle/getBundleIndex?id=jre-win64
request	GET https://prostocraft.ru/api/bundle/getBundleIndex?id=prostocraft
request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_delete.txt
request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_update.txt
request	GET https://prostocraft.ru/launcher/bundle-prostocraft/do_not_download.txt
request	GET https://prostocraft.ru/launcher/launcher.98.jar
request	GET https://prostocraft.ru/launcher/bundle-jre-win64/bin/orbd.exe

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

prostocraft.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 123 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0005c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00191000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00192000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00193000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00194000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00059000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff001d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00195000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00196000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 6:44 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 24, 2021, 6:45 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13293961216 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (31 events)

file	C:\Users\test22\.prostocraft\jre_launcher\bin\kinit.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\pack200.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jsdt.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jabswitch.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\hprof.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\dt_socket.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\orbd.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\freetype.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\java_crw_demo.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\w2k_lsa_auth.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jjs.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\klist.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\policytool.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\awt.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\j2pkcs11.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\unpack200.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jpeg.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\JAWTAccessBridge-64.dll
file	C:\Users\test22\Desktop\ProstoLauncher.lnk
file	C:\Users\test22\.prostocraft\jre_launcher\bin\unpack.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jsoundds.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\instrument.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\java.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\WindowsAccessBridge-64.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\verify.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\tnameserv.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jawt.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\sunec.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\javaw.exe
file	C:\Users\test22\.prostocraft\jre_launcher\bin\jdwp.dll
file	C:\Users\test22\.prostocraft\jre_launcher\bin\JavaAccessBridge-64.dll

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\Desktop\ProstoLauncher.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 24, 2021, 6:44 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

MicroWorld-eScan	Trojan.GenericKD.37108167
FireEye	Generic.mg.7410df6db7dd9dfc
ALYac	Trojan.GenericKD.37108167
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
BitDefender	Trojan.GenericKD.37108167
Cyren	W32/Trojan.VMQQ-4079
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/MalwareX.7530d89f
AegisLab	Trojan.Multi.Generic.4!c
Ad-Aware	Trojan.GenericKD.37108167
Emsisoft	Trojan.GenericKD.37108167 (B)
Comodo	Malware@#1a9datas7ndja
MAX	malware (ai score=85)
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Generic.D23639C7
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.37108167
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4531029
McAfee	RDN/Generic BackDoor
VBA32	TScope.Trojan.MSIL
Malwarebytes	Malware.AI.598559690
Panda	Trj/GdSda.A
Yandex	Trojan.AvsArher.bUbzqH
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	PossibleThreat
BitDefenderTheta	Gen:NN.ZemsilF.34758.jm0@aGc2YSc
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (W)

ProstoLauncher.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All