Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:25 p.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`9277e82030f3f80d2acb91ca8a2e21bb`
SHA256	`920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791`
CRC32	`3827EEAD`
ssdeep	`49152:7L2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs8:7pzX71oDCRAZUviAHImDqia7hs8`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer UPX_Zero - UPX packed file

InstallSetup9.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe"
1508
- Broom.exe C:\Users\test22\AppData\Local\Temp\Broom.exe
  2080
- nsjC968.tmp.exe C:\Users\test22\AppData\Local\Temp\nsjC968.tmp.exe
  2200

Name	Response	Post-Analysis Lookup
iplogger.com	A 104.21.12.138 A 172.67.194.188	104.21.12.138
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	104.237.62.212

IP Address	Status	Action
104.237.62.212	Active	Moloch
164.124.101.2	Active	Moloch
172.67.194.188	Active	Moloch
5.42.64.35	Active	Moloch
91.92.254.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49169 -> 5.42.64.35:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 5.42.64.35:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 5.42.64.35:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 91.92.254.7:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49171 -> 172.67.194.188:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49171 -> 172.67.194.188:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49165 -> 104.237.62.212:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 104.237.62.212:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 172.67.194.188:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab
suspicious_features	Connection to IP address				suspicious_request	GET http://5.42.64.35/syncUpd.exe

Performs some HTTP requests (4 events)

request	GET http://api.ipify.org/?format=scc
request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab
request	GET http://5.42.64.35/syncUpd.exe
request	GET https://iplogger.com/19nVA4

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2200 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 9927487488 free_bytes_available: 9927487488 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 9971531776 free_bytes_available: 9971531776 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023055360 free_bytes_available: 10023055360 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023055360 free_bytes_available: 10023055360 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023051264 free_bytes_available: 10023051264 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023124992 free_bytes_available: 10023124992 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023124992 free_bytes_available: 10023124992 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 11, 2023, 7:17 p.m.	total_number_of_free_bytes: 10023124992 free_bytes_available: 10023124992 root_path: C: total_number_of_bytes: 34252779520	1	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\nslBFC3.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\nsjC968.tmp.exe

Drops an executable to the user AppData folder (12 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\nsjC968.tmp.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\nslBFC3.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL

An executable file was downloaded by the process installsetup9.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 11, 2023, 7:17 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG.Öbà ÞCbð@ðDdP DÈËÀñè@ð.textðÜÞ `.rdata%ð&â@@.dataàÿA @À.rsrcÈË DÌ@@ff ÃÌÌÌÌÌÌÌÌÌá4ïÆÃÌÌÌÌÌÌÌÌÌUìì,EVW8@3ö=xEôuVÔûÿÿQVh BÿhðAhøBÿðA¡\,BX,BEàSEøuøUäèÿÿÿ]ø `,Bd,BÃ?MèUØÇEì ëë ¤$I3öÇEøEø xÇÁàEüùu9VÔûÿÿPhBÿ ðAVÿ¼ðAMÜQVuÜÿðAVVÿTðAEü xEèEüù©uÇ@.ëíëùëu5È Mø;Uð×ÓêÇî=êôUØEð1Eü3UüUðEðEôd)Eômôd=xuEðPVVMÔQVVVuðÿxðAUôÁâUüEäEüUôMøÂÓèMü4ÃGÈaEà3Æ3È+ùmìMüñþÿÿ=xm u>[ujhXBÿðAEô_F^å]Â_V^å]ÂÌÌÌÌÌÌÌÌÌUì¡x Ì Áèì ÀÔSðAV5PðAW=(ðAMüEø=xY jÿÖjjÿ×jjjÿÓhpBjjjjjÿðAjà÷ÿÿPjhÀBjjÿ¸ðAjÿðAjÿðA3ÀPMàQUäRPEäEèEìEðEôÿdðAjjjjjjhPBÿ`ðAEüPè>ýÿÿEümøPÿÿÿ_^[å]ÃÌÌÌÌÌÌÌÌÌUìQÇEüEüN3EüÌ å]ÃÌUìäø¸äè`d¡xSVW=±D$PjjL$DQjT$'RjÇD$(ÿxðAj$ôPjjjjÿDðAj$ôQjÿñAjjÿðAjÿ´ðAhÈBjjjjjÿðAjjÿXðAT$$Rÿ ðAjèÄjèE KPj£xÿHðAxL$<Qj@RP£Ì ÿ¨ðA3ö95xvN=°ðAd$¡\|0KÌ 2=x¨ujÿðAD$@Pÿ×hàBÿðAF;5xr¼5ðA=ðA¤ðA3ÀD$ xÈù£jjh0BÿÖj$ôRjhBjÿ×hüBÿÓj$ôPh¸Bÿ ðAjÿ4ðA3ÀP$ôRPD$"D$&D$fD$.3ÉD$ PQQfL$,ÿ<ðAjÿðAÿðAjL$(QÿlðAhBjjÿ¬ðAD$@=!D$<ÿÿÿè»üÿÿ=pðA3öIÿ×þ&uè¤ýÿÿFþ?u\|ë5ÀðA=ðA8ðAÇD${=xuSjjÿÖ3À3ÒL$fT$(QT$,D$.D$2D$6fD$:fD$D$D$D$"fD$&RD$HPÿ×j$ôQÿÓ=xujjT$,Rÿ,ðAl$uh¬BÿðA_^[å]ÃUìì$=xVWujÜûÿÿPÿ\ðAEÜèuÜè*=ðA3öÿþ'}ÜûÿÿQjÿ×FþÌô\|ä=0ðAS]ü3öÿ×þ%+~ûÕtPxu Fþ\|å=tðApðA3öjÿ×ÿÓÿ$ðAþGm Fþ¤ö\|ã.B¡p.Bx£\|èGüÿÿ]ü=LðA3öjÿ×þ%+~ûÕtPxu Fþ\|ã5@ðA¿[I=xujÜ÷ÿÿQhÌBÿÖïuß¡Ì £ÿÐ_3À^å]ÂÌÌÌÌÌÌÌÌÌVQðÄèeÆèNjèÆ^ÃÌÌÌjè ÃÌÌÌÌÌÌÌÌUì}t~rFèYÆÇFè+]ÂÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ3ÉMüHèÐEüèøÿÿå]ÃÌPèmYÃÌÌÌÌÌÌÌÌxr@ÃÀÃÿUìì(¡È B3ÅEüö BVtj èÈ YèÀtjèYö BÊàýÿÿÜýÿÿØýÿÿÔýÿÿµÐýÿÿ½ÌýÿÿføýÿÿfìýÿÿfÈýÿÿfÄýÿÿf¥Àýÿÿf¼ýÿÿðýÿÿuEôýÿÿÇ0ýÿÿµèýÿÿ@üjPäýÿÿØüÿÿjPèØüÿÿÄ(ýÿÿ0ýÿÿjÇØüÿÿ@µäüÿÿ,ýÿÿÿÈðA(ýÿÿPÿÄðAjèÌÿUìQSVWÿ5Ðè1ÿ5Ìø}üè!ðYY;÷Þ+ßCørwWèøCY;øsH¸;øsÇÇ;ÇrPÿuüèYYÀuG;Çr@Pÿuüè\|YYÀt1ÁûP4è< Y£Ðÿuè. ÆVè# Y£ÌEYë3À_^[ÉÃÿVjj èæðVèü Ä£Ð£ÌöujX^Ã&3À^ÃjhÐ BèôèÿeüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃèÞÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃÿUì]éÿUìj jÿuèÞÄ]ÃÿUìW¿èWÿPðAÿuÿÌðAÇèÿ`êwÀtÞ_]ÃÿUìèéÿuè6ÿ5 Bè hÿÿÐÄ]ÃÿUìhìñAÿÌðAÀthÜñAPÿ\|ðAÀtÿuÿÐ]ÃÿUìÿuèÈÿÿÿYÿuÿÐðAÌjèÝYÃjèúYÃÿUìVðëÀtÿÐÆ;urð^]ÃÿUìVu3ÀëÀuÉtÿÑÆ;urì^]ÃÿUì=ØthØèµYÀt ÿuÿØYèäh¤ñAhñAè¡ÿÿÿYYÀuBh]7@èþÿÿ¸ñAÇ$ñAècÿÿÿ=ÜYthÜè]YÀtjjjÿÜ3À]Ãjhð Bè request_handle: 0x00cc000c	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	5.42.64.35
host	91.92.254.7

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\Broom.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Drops 156 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 156 events)

file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file	C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Windows\Prefetch\ReadyBoot\Trace4.fx
file	C:\Windows\Prefetch\MMC.EXE-561C5A40.pf

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 441 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\syncUpd[1].exe
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	c:\Windows\Temp\TS_7FC6.tmp
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file	C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	c:\Windows\Temp\TS_88E1.tmp
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\554576[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\getLoginStatus[2].nhn
file	C:\Windows\Prefetch\ELEVATION_SERVICE.EXE-9F359A74.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-B95715F5.pf
file	C:\Users\test22\AppData\Local\Temp\7zO4B1094CA\test.docx

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.i!c
MicroWorld-eScan	Trojan.Generic.34414788
FireEye	Trojan.Generic.34414788
ALYac	Trojan.Generic.34414788
Malwarebytes	Trojan.Downloader
Sangfor	Infostealer.Win32.Stealerc.Vnib
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDownloader:MSIL/Taily.d64e80b3
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	NSIS/TrojanDownloader.Agent.OAZ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
BitDefender	Trojan.Generic.34414788
Avast	NSIS:PWSX-gen [Trj]
Rising	Trojan.Generic@AI.100 (RDML:tly+tfLQoLGf81Pc3j0TvQ)
Emsisoft	Trojan.Generic.34414788 (B)
F-Secure	Trojan.TR/Dldr.Agent.mqxfu
DrWeb	Program.Unwanted.5493
VIPRE	Trojan.Generic.34414788
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Varist	W32/ABRisk.OYGR-3481
Avira	TR/Dldr.Agent.mqxfu
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Malgent
Kingsoft	Win32.Trojan-PSW.Stealerc.gen
Microsoft	TrojanDownloader:MSIL/Taily!pz
Gridinsoft	Malware.Win32.Gen.tr
Xcitium	Malware@#1o2coqjl0l2yj
Arcabit	Trojan.Generic.D20D20C4
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
GData	Win32.Trojan.Agent.WL1M55
Google	Detected
Cylance	unsafe
Panda	PUP/PCCleaner
Tencent	Nsis.Trojan-Downloader.Ader.Ckjl
Fortinet	Riskware/Agent
AVG	NSIS:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

InstallSetup9.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All