Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 8, 2022, 10:31 a.m.	Dec. 8, 2022, 10:42 a.m.

Size	380.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f59160f8bf6d380cdecbd2db94c61deb`
SHA256	`885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703`
CRC32	`E33C8FF2`
ssdeep	`6144:x/QiQXC8km+ksmpk3U9j0IkGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi38P6m6UR0IkGlL//plmW9bTXeVhD4`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

TUN3.exe "C:\Users\test22\AppData\Local\Temp\TUN3.exe"
1476
- TUN3.tmp "C:\Users\test22\AppData\Local\Temp\is-GK0T2.tmp\TUN3.tmp" /SL5="$30028,140559,56832,C:\Users\test22\AppData\Local\Temp\TUN3.exe"
  1156
  - zizou.exe "C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\zizou.exe" /S /UID=1405
    2216
    - poweroff.exe "C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe" /VERYSILENT
      2852
      - poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-FIOTD.tmp\poweroff.tmp" /SL5="$8002C,490199,350720,C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe" /VERYSILENT
        2940
        
        Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
        3052
    - Bymixiliti.exe "C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe"
      2876
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2700
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:145409
        2012
    - Lejaerosholy.exe "C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe"
      2964
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
trustnero.com	A 104.21.1.91 A 172.67.128.245	104.21.1.91
5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
apps.identrust.com	A 23.67.53.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 23.67.53.18 A 61.111.58.35 A 61.111.58.34 A 23.50.121.137 A 23.50.121.153	23.43.165.105
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.137.52
www.google.com	A 142.251.42.164	142.250.207.100
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.170.30	3.5.139.163
google.com	A 142.250.204.142	172.217.25.174
www.aculpainting.com	A 23.160.193.16	23.160.193.16
a.dowgmua.com	A 104.21.57.8 A 172.67.157.126	172.67.157.126
droplex.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1

IP Address	Status	Action
104.21.1.91	Active	Moloch
142.250.204.142	Active	Moloch
142.251.42.164	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
192.243.59.12	Active	Moloch
192.243.61.227	Active	Moloch
23.160.193.16	Active	Moloch
23.50.121.153	Active	Moloch
23.67.53.18	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.170.30	Active	Moloch
61.111.58.34	Active	Moloch
61.111.58.35	Active	Moloch
95.214.24.96	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 52.219.170.30:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 151.115.10.1:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49188 -> 142.251.42.164:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.103:49200 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 192.243.61.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 192.243.61.227:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 52.219.170.30:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLSv1 192.168.56.103:49166 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.103:49169 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.103:49200 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLS 1.2 192.168.56.103:49170 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.103:49205 192.243.61.227:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.103:49206 192.243.61.227:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.103:49191 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 8, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 8, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 8, 2022, 10:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 8, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:24 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:24 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:25 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:25 a.m.			0	0
IsDebuggerPresent Dec. 8, 2022, 10:25 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 8, 2022, 10:24 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 8, 2022, 10:32 a.m.	stacktrace: tun3+0x816a8 @ 0x4816a8 tun3+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (18 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW

Performs some HTTP requests (21 events)

request	HEAD http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
request	GET http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 726 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 8, 2022, 10:31 a.m.	process_identifier: 1476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:31 a.m.	process_identifier: 1476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:31 a.m.	process_identifier: 1476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:31 a.m.	process_identifier: 1156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3721000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3dbb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3722000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3724000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3724000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3724000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3724000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9403c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94066000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 10:24 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

Bymixiliti.exe tried to sleep 124 seconds, actually delayed analysis time by 124 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 8, 2022, 10:25 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9930739712 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-O6PNL.tmp\_isetup\_shfoldr.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk
file	C:\Program Files (x86)\7-Zip\Naegajysipae.exe
file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\zizou.exe
file	C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe
file	C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe
file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\_isetup\_shfoldr.dll

Creates a shortcut to an executable file (3 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk

Drops a binary and executes it (3 events)

file	C:\Program Files\HashTab Shell Extension\OUVIFXRJHA\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe
file	C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\is-GK0T2.tmp\TUN3.tmp
file	C:\Users\test22\AppData\Local\Temp\05-d7c6e-2df-0e0b2-8e8cba4909419\Lejaerosholy.exe
file	C:\Users\test22\AppData\Local\Temp\is-FIOTD.tmp\poweroff.tmp
file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-QN97K.tmp\zizou.exe
file	C:\Users\test22\AppData\Local\Temp\d5-11fc1-9d3-a4ab1-2b1b74524b84f\Bymixiliti.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 8, 2022, 10:33 a.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x029a0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 8, 2022, 10:24 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process tun3.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 8, 2022, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL >à"0ZHîx @ @ xKFà H.textôX Z `.rsrcFF\@@.relocà¢@BÐxH`Ï@©,ùàEoïÜ¢Ðò´óª% %æ¦ßæRõ\kÕT¥9åM~æ°ZøÏÿ½Ï´2ÔõãØ·¯Yt¤NHðýÍH'_knFFKá\ûLµe¨w»Ù×OúOå«ßq¤AíXæÖ¡±Í»ÿªNJvúU{ çÜ¦N·ÞæØzB±%#`OÄ¿oðpºe8G_´+rr$EÏöø®_c¸ ÄÏ]_ü8++ÁË/ó?ö÷)Tu3ôIuwK?ç([g6°6ìêÂN00-T9)v {ï¬ñûx7ã9uGÚ¿û l¹ùUhÕJ~Ý¤Cô\XÆ¤)sd0"÷¢Än$lú\YgÅmjèþÇq*ÈÕwËd/\]PA/çyLe@75Xìü´^$>¯ÖÄÉªò0´O\|úØ²h:6ÈdÁ°àë"¿ý(¶äæLeâAçBNªN¿²¹¯£\|fäMè¼^áÛ request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Dec. 8, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 8, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 8, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 8, 2022, 10:32 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:145409
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Communicates with host for which no DNS query was performed (1 event)

host

95.214.24.96

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 8, 2022, 10:26 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\7-Zip\Naegajysipae.exe"

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	TUN3.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2700 resumed a thread in remote process 2012
NtResumeThread Dec. 8, 2022, 10:33 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2012	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

Generates some ICMP traffic

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Csdi.4!c
MicroWorld-eScan	Gen:Variant.Babar.125028
ALYac	Gen:Variant.Babar.125028
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Aohr
Cybereason	malicious.fd714b
Arcabit	Trojan.Babar.D1E864
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Babar.125028
Avast	FileRepMalware [Cryp]
Ad-Aware	Gen:Variant.Babar.125028
Emsisoft	Gen:Variant.Babar.125028 (B)
VIPRE	Gen:Variant.Babar.125028
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
FireEye	Gen:Variant.Babar.125028
Sophos	Mal/Generic-S
Avira	HEUR/AGEN.1233171
MAX	malware (ai score=82)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Manuscrypt!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Babar.125028
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win.Generic.C5190104
McAfee	Artemis!F59160F8BF6D
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TROJ_GEN.R002H07L722
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Cryp]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49202
dead_host	192.243.59.12:443
dead_host	192.168.56.103:49201

TUN3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All