Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 2, 2022, 10:31 a.m.	Dec. 2, 2022, 10:50 a.m.

Size	380.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c4807ea6c4ee04746a88248c855cb71d`
SHA256	`5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e`
CRC32	`64EDEC6C`
ssdeep	`6144:x/QiQXCpkm+ksmpk3U9j0IJaOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3pP6m6UR0IJalL//plmW9bTXeVhD4`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

TUN.exe "C:\Users\test22\AppData\Local\Temp\TUN.exe"
2560
- TUN.tmp "C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp" /SL5="$80178,140559,56832,C:\Users\test22\AppData\Local\Temp\TUN.exe"
  2612
  - zizou.exe "C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\zizou.exe" /S /UID=95
    2776
    - poweroff.exe "C:\Program Files\Java\LSYEJYHNMF\poweroff.exe" /VERYSILENT
      1384
      - poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-07SP5.tmp\poweroff.tmp" /SL5="$9012E,490199,350720,C:\Program Files\Java\LSYEJYHNMF\poweroff.exe" /VERYSILENT
        192
        
        Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
        2224
    - Laecojylavae.exe "C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe"
      2328
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        936
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:936 CREDAT:145409
        176
    - Huqelamano.exe "C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe"
      2280
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 3.5.136.176	52.219.72.188
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34 A 121.254.136.27 A 121.254.136.57	23.53.228.10
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.139.164
www.google.com	A 142.251.220.4	142.250.76.132
connectini.net	A 37.230.138.123	37.230.138.123
stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
google.com	A 142.250.207.78	172.217.25.174

IP Address	Status	Action
104.21.73.149	Active	Moloch
104.74.168.254	Active	Moloch
107.180.41.158	Active	Moloch
142.93.169.197	Active	Moloch
154.35.175.225	Active	Moloch
162.241.24.197	Active	Moloch
177.11.54.131	Active	Moloch
178.20.55.16	Active	Moloch
178.63.41.183	Active	Moloch
184.168.97.42	Active	Moloch
186.202.127.56	Active	Moloch
190.228.29.114	Active	Moloch
121.254.136.27	Active	Moloch
142.250.207.78	Active	Moloch
142.251.220.4	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
192.243.59.12	Active	Moloch
3.5.136.176	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
61.111.58.34	Active	Moloch
195.219.57.43	Active	Moloch
199.250.214.152	Active	Moloch
202.124.241.201	Active	Moloch
207.32.181.122	Active	Moloch
217.70.178.4	Active	Moloch
23.216.159.81	Active	Moloch
43.250.140.44	Active	Moloch
51.68.204.139	Active	Moloch
52.73.17.211	Active	Moloch
64.13.192.154	Active	Moloch
70.39.146.5	Active	Moloch
80.237.132.210	Active	Moloch
81.2.195.201	Active	Moloch
85.13.163.220	Active	Moloch
93.186.117.3	Active	Moloch
95.214.53.210	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 154.35.175.225:443 -> 192.168.56.101:49171	2522192	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193	Misc Attack
TCP 192.168.56.101:49169 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 3.5.136.176:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 178.20.55.16:443 -> 192.168.56.101:49167	2520024	ET TOR Known Tor Exit Node Traffic group 25	Misc Attack
TCP 178.20.55.16:443 -> 192.168.56.101:49167	2522025	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26	Misc Attack
TCP 178.63.41.183:8000 -> 192.168.56.101:49173	2522237	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238	Misc Attack
TCP 192.168.56.101:49184 -> 142.251.220.4:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.101:49185 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 95.214.53.210:8443 -> 192.168.56.101:49175	2522792	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 793	Misc Attack
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 142.93.169.197:9001 -> 192.168.56.101:49170	2522171	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172	Misc Attack
TCP 192.168.56.101:49186 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 192.243.59.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 192.243.59.12:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 51.68.204.139:9001 -> 192.168.56.101:49174	2522649	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650	Misc Attack

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.101:49170 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLS 1.2 192.168.56.101:49169 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLS 1.2 192.168.56.101:49168 3.5.136.176:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLSv1 192.168.56.101:49185 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49186 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.101:49191 192.243.59.12:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.101:49192 192.243.59.12:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 2, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 2, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 2, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 2, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 2, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 2, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 2, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:24 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:24 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:25 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:25 a.m.			0	0
IsDebuggerPresent Dec. 2, 2022, 10:25 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 2, 2022, 10:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 2, 2022, 10:32 a.m.	stacktrace: tun+0x816a8 @ 0x4816a8 tun+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (17 events)

request	HEAD http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
request	GET http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe
request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe
request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	GET https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	POST https://connectini.net/Series/Conumer4Publisher.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 728 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:31 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:26 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef419b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b02000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b04000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b04000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b04000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3b04000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9436c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94481000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9436d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 2, 2022, 10:24 a.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	Laecojylavae.exe tried to sleep 196 seconds, actually delayed analysis time by 196 seconds
description	Huqelamano.exe tried to sleep 181 seconds, actually delayed analysis time by 181 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 2, 2022, 10:25 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13317279744 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\_isetup\_shfoldr.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\test22\AppData\Local\Temp\is-BH2K6.tmp\_isetup\_shfoldr.dll
file	C:\Users\Public\Desktop\powerOff.lnk
file	C:\Program Files (x86)\Common Files\Haekaeleshywo.exe
file	C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe
file	C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe
file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\zizou.exe
file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\idp.dll
file	C:\Program Files\Java\LSYEJYHNMF\poweroff.exe

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk

Drops a binary and executes it (3 events)

file	C:\Program Files\Java\LSYEJYHNMF\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe
file	C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\is-07SP5.tmp\poweroff.tmp
file	C:\Users\test22\AppData\Local\Temp\19-31e4f-36c-236a3-319701c66ecc1\Laecojylavae.exe
file	C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp
file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-UG08R.tmp\zizou.exe
file	C:\Users\test22\AppData\Local\Temp\ae-f366a-5e1-f73a7-d26d813624d7d\Huqelamano.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 2, 2022, 10:33 a.m.	process_identifier: 176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03a00000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 2, 2022, 10:24 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process tun.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 2, 2022, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL >à"0ZHîx @ @ xKFà H.textôX Z `.rsrcFF\@@.relocà¢@BÐxH`Ï@©,ùàEoïÜ¢Ðò´óª% %æ¦ßæRõ\kÕT¥9åM~æ°ZøÏÿ½Ï´2ÔõãØ·¯Yt¤NHðýÍH'_knFFKá\ûLµe¨w»Ù×OúOå«ßq¤AíXæÖ¡±Í»ÿªNJvúU{ çÜ¦N·ÞæØzB±%#`OÄ¿oðpºe8G_´+rr$EÏöø®_c¸ ÄÏ]_ü8++ÁË/ó?ö÷)Tu3ôIuwK?ç([g6°6ìêÂN00-T9)v {ï¬ñûx7ã9uGÚ¿û l¹ùUhÕJ~Ý¤Cô\XÆ¤)sd0"÷¢Än$lú\YgÅmjèþÇq*ÈÕwËd/\]PA/çyLe@75Xìü´^$>¯ÖÄÉªò0´O\|úØ²h:6ÈdÁ°àë"¿ý(¶äæLeâAçBNªN¿²¹¯£\|fäMè¼^áÛ request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Dec. 2, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 2, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 2, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 2, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:936 CREDAT:145409

Communicates with host for which no DNS query was performed (28 events)

host	104.21.73.149
host	104.74.168.254
host	107.180.41.158
host	142.93.169.197
host	154.35.175.225
host	162.241.24.197
host	177.11.54.131
host	178.20.55.16
host	178.63.41.183
host	184.168.97.42
host	186.202.127.56
host	190.228.29.114
host	195.219.57.43
host	199.250.214.152
host	202.124.241.201
host	207.32.181.122
host	217.70.178.4
host	23.216.159.81
host	43.250.140.44
host	51.68.204.139
host	52.73.17.211
host	64.13.192.154
host	70.39.146.5
host	80.237.132.210
host	81.2.195.201
host	85.13.163.220
host	93.186.117.3
host	95.214.53.210

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Common Files\Haekaeleshywo.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-4AJQ8.tmp\TUN.tmp

Network activity contains more than one unique useragent (2 events)

process	TUN.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 936 resumed a thread in remote process 176
NtResumeThread Dec. 2, 2022, 10:33 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 176	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

Generates some ICMP traffic

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Csdi.4!c
MicroWorld-eScan	Trojan.GenericKD.63967133
FireEye	Trojan.GenericKD.63967133
Cylance	Unsafe
Sangfor	Downloader.Msil.Agent.Vuem
Cybereason	malicious.2011c4
Arcabit	Trojan.Generic.D3D00F9D
Cyren	W32/ABRisk.NNBA-9309
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXCK4Z
Kaspersky	Trojan-Downloader.MSIL.Csdi.fd
BitDefender	Trojan.GenericKD.63967133
Cynet	Malicious (score: 99)
Avast	FileRepMalware [Misc]
Tencent	Msil.Trojan-Downloader.Csdi.Gajl
Ad-Aware	Trojan.GenericKD.63967133
Sophos	Generic ML PUA (PUA)
Comodo	Malware@#2q0mwq1ko9jd8
VIPRE	Trojan.GenericKD.63967133
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCK4Z
Emsisoft	Trojan.GenericKD.63967133 (B)
APEX	Malicious
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1233171
Kingsoft	Win32.TrojDownloader.MSIL.fd.(kcloud)
Gridinsoft	Malware.Win32.Phonzy.cl
Microsoft	Trojan:Script/Phonzy.A!ml
GData	Trojan.GenericKD.63967133
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5190104
McAfee	RDN/Generic.dx
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]
CrowdStrike	win/grayware_confidence_60% (D)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	177.11.54.131:995
dead_host	199.250.214.152:993
dead_host	186.202.127.56:995
dead_host	192.168.56.101:49754
dead_host	81.2.195.201:995

TUN.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All