Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 5, 2023, 7:40 a.m.	Oct. 5, 2023, 7:48 a.m.

Size	2.5MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5d4392b56aa4ebac400bbe86fe5d0767`
SHA256	`a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af`
CRC32	`1C49571C`
ssdeep	`49152:o3s23i7y2K9TYDnORn+JuXbOoGlQXlSHcBA5TkfZnIZirM5RxivYp:`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

rjFcwBLmZM9M3y7.exe "C:\Users\test22\AppData\Local\Temp\rjFcwBLmZM9M3y7.exe"
1700
- JZ0YKIRT.exe "C:\ProgramData\Desktop\JZ0YKIRT.exe"
  2248
  - Setup.exe C:\376727a7b2803f067f989e8fc8cf70c4\\Setup.exe /x86 /x64 /ia64 /web
    2340
- 53ZW9SOP.exe "C:\Users\test22\AppData\Local\Temp\VirtualBox Dropped Files\53ZW9SOP.exe"
  2456

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1
rakishev.net	A 104.21.88.34 A 172.67.150.79	172.67.150.79

IP Address	Status	Action
104.21.88.34	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49177 -> 104.21.88.34:80	2035367	ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 104.21.88.34:80	2039097	ET HUNTING PNG in HTTP POST (Outbound)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2023, 7:33 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:33 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:33 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:33 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 5, 2023, 7:33 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://ip-api.com/json/?fields=11827
suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://rakishev.net/wp-load.php

Performs some HTTP requests (2 events)

request	GET http://ip-api.com/json/?fields=11827
request	POST http://rakishev.net/wp-load.php

Sends data using the HTTP POST Method (1 event)

request

POST http://rakishev.net/wp-load.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c4b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ecc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 1700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 region_size: 2424832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c4b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:33 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 5, 2023, 7:40 a.m.	total_number_of_free_bytes: 9933029376 free_bytes_available: 9933029376 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Oct. 5, 2023, 7:40 a.m.	total_number_of_free_bytes: 9927118848 free_bytes_available: 9927118848 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (50 out of 74 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dbhklojmlkgmpihhdooibnmidfpeaing
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gofhklgdnbnpcdigdgkgfobhhghjmmkj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flikjlpgnpcjdienoojmgliechmmheek
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ieedgmmkpkbiblijbbldefkomatsuahh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bobfejfdlhnabgglompioclndjejolch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafch
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idkppnahnmmggbmfkjhiakkbkdpnmnon
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhmlbgebokamljgnceonbncdofmmkedg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njgnlkhcjgmjfnfahdmfkalpjcneebpl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pidhddgciaponoajdngciiemcflpnnbg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nbokbjkelpmlgflobbohapifnnenbjlh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jpxupxjxheguvfyhfhahqvxvyqthiryh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mhonjhhcgphdphdjcdoeodfdliikapmj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjffdbjndmcafeoehgdldobgjmlepcal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pknlccmneadmjbkollckpblgaaabameg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kgeohlebpjgcfiidfhhdlnnkhefajmca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khcodhlfkpmhibicdjjblnkgimdepgnd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blbpgcogcoohhngdjafgpoagcilicpjh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppdjlkfkedmidmclhakfncpfdmdgmjpm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elokfmmmjbadpgdjmgglocapdckdcpkn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lbfeahdfdkibininjgejjgpdafeopflb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mammpjaaoinfelloncbbpomjcihbkmmc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocmfilhakdbncmojmlbagpkjfbmeinbd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hbpfjlflhnmkddbjdchbbifhllgmmhnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jifanbgejlbcmhbbdbnfbfnlmbomjedj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\doljkehcfhidippihgakcihcmnknlphh

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (32 events)

file	C:\376727a7b2803f067f989e8fc8cf70c4\1040\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1028\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\sqmapi.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\3076\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1037\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1044\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\SetupEngine.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\2052\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1032\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1049\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\2070\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1046\SetupResources.dll
file	C:\ProgramData\Desktop\JZ0YKIRT.exe
file	C:\376727a7b2803f067f989e8fc8cf70c4\1031\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\3082\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1029\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1053\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\Setup.exe
file	C:\376727a7b2803f067f989e8fc8cf70c4\1045\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1030\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1035\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1033\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1038\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1041\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1042\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1025\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\SetupUtility.exe
file	C:\376727a7b2803f067f989e8fc8cf70c4\1055\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1036\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\1043\SetupResources.dll
file	C:\376727a7b2803f067f989e8fc8cf70c4\SetupUi.dll
file	C:\Users\test22\AppData\Local\Temp\VirtualBox Dropped Files\53ZW9SOP.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\VirtualBox Dropped Files\53ZW9SOP.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\VirtualBox Dropped Files\53ZW9SOP.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: services.exe process_identifier: 436	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: sdclt.exe process_identifier: 2004	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 1156	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: cmd.exe process_identifier: 1948	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 1212	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: SearchProtocolHost.exe process_identifier: 496	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: SearchFilterHost.exe process_identifier: 1740	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: rjFcwBLmZM9M3y7.exe process_identifier: 1700	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 1280	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 416	1	1
Process32NextW Oct. 5, 2023, 7:40 a.m.	snapshot_handle: 0x00000124 process_name: JZ0YKIRT.exe process_identifier: 2248	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 5, 2023, 7:34 a.m.	flags: 15 family: 0		111	0

Expresses interest in specific running processes (2 events)

process	setup.exe
process	jz0ykirt.exe

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM AntivirusProduct

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.MSIL.Krypt.12
ALYac	Gen:Heur.MSIL.Krypt.12
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.4e111b
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.FEG
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.MSIL.Krypt.12
Avast	Win32:DropperX-gen [Drp]
Rising	Dropper.Generic!8.35E (TFE:dGZlOgwTO/kFakrH0A)
Emsisoft	Gen:Heur.MSIL.Krypt.12 (B)
F-Secure	Trojan.TR/Dropper.Gen2
DrWeb	Trojan.PackedNET.2424
VIPRE	Gen:Heur.MSIL.Krypt.12
McAfee-GW-Edition	BehavesLike.Win32.Generic.vz
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.5d4392b56aa4ebac
Sophos	Mal/MsilDrop-A
Ikarus	Gen.MSIL.Krypt
GData	Gen:Heur.MSIL.Krypt.12
Jiangmin	Trojan.MSIL.twon
Avira	TR/Dropper.Gen2
Xcitium	TrojWare.MSIL.Agent.GH@60rvah
Arcabit	Trojan.MSIL.Krypt.12
ZoneAlarm	HEUR:Trojan.Win32.Generic
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5486082
McAfee	GenericRXWI-VB!5D4392B56AA4
MAX	malware (ai score=85)
VBA32	Dropper.MSIL.gen
Malwarebytes	Trojan.Binder.MSIL.Generic
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZemsilF.36738.FoW@aWB@evn
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

rjFcwBLmZM9M3y7.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All