Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 19, 2022, 9:39 a.m.	Nov. 19, 2022, 9:51 a.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e91e8a603108c29db5d1a1ba1c8123fd`
SHA256	`d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1`
CRC32	`B8087EE2`
ssdeep	`6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Bolt.exe "C:\Users\test22\AppData\Local\Temp\Bolt.exe"
2652
- Bolt.tmp "C:\Users\test22\AppData\Local\Temp\is-G4CRF.tmp\Bolt.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt.exe"
  2720
  - PowerOff.exe "C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\PowerOff.exe" /S /UID=95
    2880
    - SHykigusena.exe "C:\Users\test22\AppData\Local\Temp\dc-1b113-c03-fcb87-222b96c802939\SHykigusena.exe"
      2220
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2296
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2296 CREDAT:145409
        1380
    - Laetymaerifae.exe "C:\Users\test22\AppData\Local\Temp\4b-cbf10-263-922b1-a9940130e9e54\Laetymaerifae.exe"
      2232
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.43.165.105 CNAME identrust.edgesuite.net A 23.43.165.66	23.43.165.66
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	192.243.61.227
doll.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	A 52.219.169.154 CNAME s3-r-w.eu-central-1.amazonaws.com	52.219.169.46
google.com	A 172.217.26.238	172.217.25.174
www.google.com	A 142.251.220.4	142.250.76.132
gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1

IP Address	Status	Action
142.251.220.4	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
172.217.26.238	Active	Moloch
192.243.59.13	Active	Moloch
23.43.165.105	Active	Moloch
23.43.165.66	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.169.154	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.101:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 52.219.169.154:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 151.115.10.1:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49176 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 52.219.169.154:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 151.115.10.1:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 142.251.220.4:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 192.243.59.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 192.243.59.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49171 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLS 1.2 192.168.56.101:49172 52.219.169.154:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLS 1.2 192.168.56.101:49176 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.101:49180 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49182 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49168 52.219.169.154:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLSv1 192.168.56.101:49187 192.243.59.13:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.101:49186 192.243.59.13:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 19, 2022, 9:42 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 19, 2022, 9:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:42 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:42 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2022, 9:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/pub-dsynf65cgyy6b7uk.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/up-da-dsynf65cgyy6b7uk.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/hand-dsynf65cgyy6b7uk.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (16 events)

request	HEAD http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/samsung-carrers/poweroff.exe
request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/samsung-carrers/poweroff.exe
request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/pub-dsynf65cgyy6b7uk.exe
request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/up-da-dsynf65cgyy6b7uk.exe
request	GET http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/hand-dsynf65cgyy6b7uk.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://www.google.com/
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 635 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a11000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40ab000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9432c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (2 events)

description	SHykigusena.exe tried to sleep 201 seconds, actually delayed analysis time by 201 seconds
description	Laetymaerifae.exe tried to sleep 172 seconds, actually delayed analysis time by 172 seconds

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\4b-cbf10-263-922b1-a9940130e9e54\Laetymaerifae.exe
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\_isetup\_shfoldr.dll
file	C:\Program Files (x86)\Common Files\Sahajavuma.exe
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\PowerOff.exe
file	C:\Users\test22\AppData\Local\Temp\dc-1b113-c03-fcb87-222b96c802939\SHykigusena.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\dc-1b113-c03-fcb87-222b96c802939\SHykigusena.exe
file	C:\Users\test22\AppData\Local\Temp\4b-cbf10-263-922b1-a9940130e9e54\Laetymaerifae.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\dc-1b113-c03-fcb87-222b96c802939\SHykigusena.exe
file	C:\Users\test22\AppData\Local\Temp\4b-cbf10-263-922b1-a9940130e9e54\Laetymaerifae.exe
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-9I5HS.tmp\PowerOff.exe
file	C:\Users\test22\AppData\Local\Temp\is-G4CRF.tmp\Bolt.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 19, 2022, 9:50 a.m.	process_identifier: 1380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x071f0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 19, 2022, 9:39 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes bolt.tmp, poweroff.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 19, 2022, 9:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL$áà"0^¢\| @ @ @À{K H.text\ ^ `.rsrc `@@.reloc @Bð{H Ò ©,(½Õ§8¨(¹[¶(¶9]FXUñûVvz/Bä·:ªñ¹WËó§²¹vàþ¹©c´FLTäü¶PMÅuªÇaÈsÜR Å 6·¶ÜAÿÏÿt«?<òËÔA>PÕ2û¸«Wwå®: /ÿ´91»¸uL´<@R¬3ùÕ$¦e!Æ ¬! *^a($ÙâW`-9îë[5m¹]Îò&båúWL5¥ÌjÍê¡O^ÿí\|j`w¼º>.{wdÒÜt®+Âø³H¯©ÚÐKÏhÓé0J©¿O]K¿MÕ´~´P/LO:R3#ÈNýµæcÅëâí>;ÑNa´_ñs(Ào[AÇ©Â&JÈ¬¼+íRý'}×ÉB@ì[\|!¼wS!£ \+d3]À×\|\|Jï³`@IlmÍì~ì9·ÇaoóÚüÙ}mPvñQ!ûÈtÞownÑn`· ÂÕñG·J<L£:òæ 3jaqÌ%«ãßé§ request_handle: 0x00cc000c	1	1
recv Nov. 19, 2022, 9:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 600576 x-amz-id-2: txe8dba6ed02d14b0fad579-0063782817 accept-ranges: bytes last-modified: Fri, 18 Nov 2022 17:17:46 GMT etag: "436e921da691211e16a1adb9ff4d90cd" x-amz-request-id: txe8dba6ed02d14b0fad579-0063782817 x-amz-version-id: 1668791866723311 content-type: application/octet-stream date: Sat, 19 Nov 2022 00:49:27 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELjJecà"0x°^ @ @W 8` H.textdw x `.rsrc8 ®z@@.reloc` ( @B@HPt´";áHæÁ8;b#ûò³:í¥ÿ~tñ¥Üþ!æVQôÉJoi+ð¢Ýí`v÷SÂÑJ'Äè×5ÝTóI9ì#6×sr=Fqû¡mx}Ã"ü4G¯÷ Á$n ãÃWï"E®2öò>ÿàêGé=ú39LåYÛgß3Ø÷>ä àPx¡nb õ3]ó¹ßÿÑIXzâÖF!í»DsæEÂ«÷\|r®Q2G\jÅ<0Ön%<Ï7¥Ù&Å n¿BXhõÉCÝ3ó! ä(¶Õ1 ´xF¾]KôïáAë(°&Bñ&¨ÜÈõ³É@\ô]ä÷%_°1-Rô½öÕò9qm}`VÎoÎýÔ @Ívùj·4RIg²zo£ gWÙë]o:týÕñØøB1R2"Á;ÃÄïÎäVedÕ='ç°ÂÖë¹Yopñe==Z·P¸ògú÷ðÃçãäÙãºæ]>]áç·ÄÅØ2¾i$Q5 J<ñ]0\|½Rs¥ZY» W÷Ô²IÐL[ÝsíøôoaM<Ä/0X'£?¥&« ÷î®£¬9Bñ<Ú`z/\|ëîx×±dðxÊÌ[ËÌ¾îH~¡zÍÛq¡÷ðÍ]QÈLCäøêñ·tþ-ûQY,TGÂÒÏ_öõNB³¤µ×à$ÌG<i?L³GÜ¿rft=æ¾ë²Êgd(F&Öo ¿!µÓÄpðÁ8+µRèRqdyÅUT±êT³ ©Ò¤÷ÁhQl4Ñâ¾ º5¶Ôk¤ubÎFÊÑí6\õ"O$êþ0åógY'fvëç%Ó=3)LKÖ©xXQ¢yÀÔ»<ÛîÖk¾Cë¬¦4Õ¶C§p¹Ó«ÿËhòÁ¯&åÐ¥2ËãâQ-T&{5î-ýÏþp_ë@MHo#.Éíªv1ZÅ9ÖA-éÓ8`§B:iÄÞp¡ç§ª¸ßÿRÅpK÷¦±A«>tMzÔ×_~$W`ãï ~õ}{\íò)ëùÉø(EÎÏgÄñ%>ÜáÒ»ÊJÅ¯d'ùñ °ÉêSÊóA²Ç§'Ñvó]-Ë¯BwÞG3V´ö¥ØÜ¾IÐÈ'yDÁúðÆdÚõnK1Yq°'ãõ²Ç§'Ñvó]-Ëu.)èÁEsÙ¾ÓFøòejñd<6ßóm¢0 â5FVÎmg÷©Ôô0æWQvi"¼Üº]LáÁÊ»Ú 1¡BÈ Æ¯Wô¸?'ÕÒ\|<hoÃ(û}iáÑU ·^-BrÎ¨2+òö6YWiÕ}+ÂBmªô\|,OzòMûJKµÔn1ªt&@°ã¿WùKNÀ ìÍ'?¾¸Ò}é0M(óñäåg¿YZµ\ëZ¶Q'?©_ÚÚá<øèìÄÈ¶¤<EGA¹6,ó&û¥P±mÍF³ëp<~s«Ô¦[«ÉöHú;ïôÈö×þRR©S^I¹î®®!2¥OÓzD¹°ÚAÎ°ÍþÆ;Ü³b¶L]Á]-ôHáÙ]A¨{·I²ÙwGË³zà9PL½oåÆJ3+@£¼S·ù&ð£Àá<«ÿcÈUæ0½¨~ø@<{%¨e0Ò \ºE´¤Uf!?_u-y¡³êó]@z²+hYÝ).°&@aÖx dYaA(8}KìRb·K¨þAê{Yºèºâtt@B¹¹z¡0¿0ÜS-ãú¯ÂßZ`RY}¼Á Pfl7_'îÙ½åÓË¸âháóOîÒáDª$ªEæ\ySL1@ë´"&`(tFm;¶p«~xVÝÍJr°/pÛBÏ>ûL·ÒÛåvh#kÜÔ)z9pø¼Ô,(è´¿P³ÂnàfJ\c¿·¤í]¦¾apà;Ñ,Õ_Í½+Eiã²¯°:× ¯þë">©6DÜ[j¤Ì.ZÙoûdGRÞØD¹º§Æ7#ÂáÔ×}.Êêµ=v(&ñô½ìp¨ÃdÞêôþÙöXÜ``OÊùéLV1¥R¿øF QSOüÐêUZ+Û´R£õVq41´vD¤$ÓâÙI1¨÷ºPgîbv\|À!ªväA%«Ð±¥èeïÍîµßÉ¢FS×·8ÆßÛØ¨{ßýAm¼©¬8Î*\)§dÍôtÑGôA0t¯XÝéã§Sî' HÎ[L"cMËþ¬Õ/ê¤:ÓkëfS¤ received: 2920 socket: 1592	1	2920
recv Nov. 19, 2022, 9:39 a.m.	buffer: HTTP/1.1 200 OK content-length: 129024 x-amz-id-2: tx335f7270293e4b8d80cd2-006378281a accept-ranges: bytes last-modified: Fri, 18 Nov 2022 17:17:46 GMT etag: "70a9b681d28137cfb4f0b4ab59ef51c6" x-amz-request-id: tx335f7270293e4b8d80cd2-006378281a x-amz-version-id: 1668791866099711 content-type: application/octet-stream date: Sat, 19 Nov 2022 00:49:30 GMT MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELWúà.:º®Y `@ `@`YK@³@Y H.text´9 : `.sdataø`>@À.rsrc@³´B@@.reloc@ö@BYHÞÞU?r4$0í+ (3Á[:&-ù(! % (¢% R(¢% t(¢% â(¢% >(¢% T(¢% <(¢% N(¢% (¢% (¢% P(¢% ê(¢% ¢(¢% <(¢% ô(¢% (¢% $(¢% ¾(¢% X (¢% î (¢% (¢% "(¢% ¸(¢% R(¢% n(¢% (¢% ð(¢% (¢% , (¢% L (¢% À (¢% â (¢% (¢( (j+ (¿6DO&-ù( ( V+ (ðgI&-ù( f+ (·ghG&-ùþ (¡v+ (MÀ,4&-ùþ þ ( v+ (`>X&-ùþ þ ( B+ ('úZi&-ùB+ (óäk&-ùV+ (ùå>&-ù(îb+ (Íó6;&-ùþ ( 0-+ (që_j&-ù~%:&~þs %( À(s ( (( D(((:X& 92&( x( ((8" þþEºÿÿÿºÿÿÿ8& 8Ûÿÿÿ(Ý 9(ÜÝ8&Ý0&s (Ý 9(ÜÝ&Ý@Eß 5¾ó$ ü'#%5¾û0%0E+ (ä¦\E&-ù((:& 86(8[& 88äÿÿÿs 8×ÿÿÿ þþE9¥ÿÿÿ(9¬ÿÿÿ¼ÿÿÿN :Ðÿÿÿ& \|(( :´ÿÿÿ&s 8¢ÿÿÿ(9}ÿÿÿ 8ÿÿÿ(:X((99& 88" þþE×ÿÿÿ×ÿÿÿ8& 8ÛÿÿÿÝÝ received: 2920 socket: 1592	1	2920

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2296 CREDAT:145409

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Common Files\Sahajavuma.exe"

Network activity contains more than one unique useragent (2 events)

process	Bolt.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2296 resumed a thread in remote process 1380
NtResumeThread Nov. 19, 2022, 9:50 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 1380	1	0	0

Generates some ICMP traffic

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
McAfee	Artemis!E91E8A603108
Cylance	Unsafe
Cybereason	malicious.881c00
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.MSIL.Csdi.ez
SUPERAntiSpyware	Backdoor.Manuscrypt/Variant
Avast	FileRepMalware [Misc]
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCKSZ
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Adload
Avira	HEUR/AGEN.1233171
Microsoft	Trojan:Script/Phonzy.A!ml
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C4497446
MAX	malware (ai score=99)
Malwarebytes	Trojan.Downloader
Tencent	Win32.Trojan.Agen.Qimw
MaxSecure	Trojan.Malware.104882972.susgen
AVG	FileRepMalware [Misc]

Bolt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All