Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 23, 2023, 6:16 p.m.	Dec. 23, 2023, 6:25 p.m.

Size	799.2KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e0bc2140d5a10035fb6d3b4e1b46cdfe`
SHA256	`4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d`
CRC32	`54AAE385`
ssdeep	`24576:aAlTCq3CQGpn2B5ziaj5n9798/dvDwP81d:tT5T6q5jjX798/dvDwP81d`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

Rby1.exe "C:\Users\test22\AppData\Local\Temp\Rby1.exe"
2336
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2400
  - ugttmv0bWvGn3XMEJXD45JlM.exe "C:\Users\test22\Pictures\ugttmv0bWvGn3XMEJXD45JlM.exe"
    2580
  - SS6Yx9EBpDnr7H5AwiVDv6Bl.exe "C:\Users\test22\Pictures\SS6Yx9EBpDnr7H5AwiVDv6Bl.exe"
    2684
  - jkBSx0PNHElKEPX505wphL5k.exe "C:\Users\test22\Pictures\jkBSx0PNHElKEPX505wphL5k.exe"
    2732
  - xxVA1wFApK5K0025cO6LKkqR.exe "C:\Users\test22\Pictures\xxVA1wFApK5K0025cO6LKkqR.exe"
    2756
  - tOtcmAUyZOxR462do2YSqCR9.exe "C:\Users\test22\Pictures\tOtcmAUyZOxR462do2YSqCR9.exe"
    2828
    - BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
      2924
    - nsx392A.tmp.exe C:\Users\test22\AppData\Local\Temp\nsx392A.tmp.exe
      2100
  - GuMIRR01ABdwlRPjBwLToenr.exe "C:\Users\test22\Pictures\GuMIRR01ABdwlRPjBwLToenr.exe" --silent --allusers=0
    3008
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
flyawayaero.net	A 104.21.93.225 A 172.67.216.81	104.21.93.225
www.kaspersky.com	CNAME multisite3.geo.kaspersky.com A 185.85.15.46	185.85.15.47
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170
galandskiyher5.com	A 158.160.130.138	158.160.130.138
yip.su	A 104.21.79.77 A 172.67.169.89	104.21.79.77
redirector.pm	A 194.49.94.85	194.49.94.85
randomdomainname.org	A 104.21.30.5 A 172.67.150.41	104.21.30.5
malwarebytes.com	A 192.0.66.233	192.0.66.233
bitbucket.org	A 104.192.141.1	104.192.141.1
api.ipify.org	A 173.231.16.77 A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.212	104.237.62.212
zonealarm.com	A 209.87.209.205	209.87.209.205
iplogger.com	A 172.67.188.178 A 104.21.76.57	172.67.188.178
bbuseruploads.s3.amazonaws.com	A 16.182.67.73 A 54.231.199.249 A 3.5.28.176 CNAME s3-1-w.amazonaws.com A 52.216.41.49 A 52.217.89.132 CNAME s3-w.us-east-1.amazonaws.com A 16.182.108.169 A 52.217.234.193 A 3.5.3.100	52.217.101.204
budgienation.net	A 172.67.165.8 A 104.21.33.167	104.21.33.167
net.geo.opera.com	A 107.167.110.211 A 107.167.110.216 CNAME lati.lb.opera.technology CNAME us.net.opera.com	107.167.110.216
potatogoose.com	A 172.67.180.173 A 104.21.35.235	172.67.180.173

IP Address	Status	Action
104.192.141.1	Active	Moloch
104.20.68.143	Active	Moloch
104.21.30.5	Active	Moloch
104.21.33.167	Active	Moloch
104.21.79.77	Active	Moloch
104.21.93.225	Active	Moloch
107.167.110.211	Active	Moloch
158.160.130.138	Active	Moloch
164.124.101.2	Active	Moloch
172.67.180.173	Active	Moloch
172.67.188.178	Active	Moloch
185.85.15.46	Active	Moloch
192.0.66.233	Active	Moloch
194.49.94.85	Active	Moloch
209.87.209.205	Active	Moloch
3.5.28.176	Active	Moloch
47.236.140.86	Active	Moloch
5.42.64.35	Active	Moloch
64.185.227.156	Active	Moloch
91.92.254.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 172.67.188.178:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49171 -> 172.67.188.178:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 104.21.93.225:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 104.21.30.5:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 5.42.64.35:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 104.20.68.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 47.236.140.86:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 47.236.140.86:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 47.236.140.86:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 47.236.140.86:80 -> 192.168.56.103:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 5.42.64.35:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 5.42.64.35:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 172.67.180.173:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 104.21.33.167:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 107.167.110.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 3.5.28.176:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:60225 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.103:60225 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49192 -> 64.185.227.156:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49192 -> 64.185.227.156:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 5.42.64.35:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 5.42.64.35:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 91.92.254.7:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 172.67.188.178:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49201 -> 172.67.188.178:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.42.64.35:80 -> 192.168.56.103:49196	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.103:49196	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49223 -> 192.0.66.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 185.85.15.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 185.85.15.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 185.85.15.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 185.85.15.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 192.0.66.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.85.15.46:443 -> 192.168.56.103:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.85.15.46:443 -> 192.168.56.103:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49219 -> 192.0.66.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.0.66.233:443 -> 192.168.56.103:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.0.66.233:443 -> 192.168.56.103:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 192.0.66.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 209.87.209.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 209.87.209.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 209.87.209.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 209.87.209.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49167 104.21.79.77:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=yip.su	ae:5e:4a:71:b1:d8:2b:45:95:b2:33:e9:8b:5f:fa:b4:9c:9e:fd:8f
TLS 1.2 192.168.56.103:49171 172.67.188.178:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58
TLS 1.2 192.168.56.103:49172 104.21.93.225:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=flyawayaero.net	b3:ec:66:5d:75:35:6c:24:98:34:68:0d:64:f9:b5:ca:b5:31:53:be
TLS 1.2 192.168.56.103:49173 104.21.30.5:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=randomdomainname.org	56:29:ae:9f:45:42:bb:95:38:08:ee:05:21:e7:f9:74:b1:3a:1d:c2
TLS 1.2 192.168.56.103:49166 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.103:49170 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian US, Inc., CN=bitbucket.org	d4:63:2a:05:af:e6:e1:c6:be:ee:c7:40:96:77:ef:14:9d:17:12:09
TLS 1.2 192.168.56.103:49178 172.67.180.173:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=potatogoose.com	d5:8d:43:61:32:d2:ee:de:a0:6e:9f:2e:0f:97:b0:a4:8d:ad:1d:75
TLS 1.2 192.168.56.103:49179 104.21.33.167:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=budgienation.net	86:9b:24:1c:80:b6:77:be:c7:31:c7:03:d5:fe:95:15:bf:50:90:0f
TLS 1.2 192.168.56.103:49177 107.167.110.211:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com	8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLS 1.2 192.168.56.103:49180 3.5.28.176:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.s3.amazonaws.com	dc:41:a6:3e:ee:32:6f:36:76:5a:ef:9d:17:af:14:13:e3:05:c6:d1
TLSv1 192.168.56.103:49201 172.67.188.178:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 23, 2023, 6:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 23, 2023, 6:16 p.m.			0	0
IsDebuggerPresent Dec. 23, 2023, 6:16 p.m.			0	0
IsDebuggerPresent Dec. 23, 2023, 6:16 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 23, 2023, 6:09 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (16 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://47.236.140.86/s/twty.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.35/InstallSetup3.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://galandskiyher5.com/downloads/toolspub4.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features	Connection to IP address	suspicious_request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=three&s=ab
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.35/syncUpd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.com/1gDcm4
suspicious_features	GET method with no useragent header	suspicious_request	GET https://randomdomainname.org/2cba948feb9c53fce4409f0079aec61c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/micaorrsoft/update/downloads/a01.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://potatogoose.com/8c35a460636521ed0deef49f6749c0e3/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://budgienation.net/8c35a460636521ed0deef49f6749c0e3/2cba948feb9c53fce4409f0079aec61c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/c653674a-68fa-46c6-b413-9e71a0a3be60/downloads/7cc5bf80-2f20-4024-8172-c47af249efe9/a01.exe?response-content-disposition=attachment%3B%20filename%3D%22a01.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLFZPBG6X&Signature=k4eYmK01rl8PGp4sOTTE04lteD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjELr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDzQD%2B3UL8xV1DvAUP2KA45yti0HItkJ7%2FZj%2BYPZQQy%2BAIgK%2BOaDvdrjmeM3oRZP0OlFI2Pl%2B7GauL9ExmwyykyfrwqpwIIQhAAGgw5ODQ1MjUxMDExNDYiDOob2cJxt3Exs6kaAiqEAh4UYnRFarCTXYvHT0WXfJIgVuJuVvzUOPIbUG1w3nq2Yphc6rTsOhGwJcQzKyRWF%2BFm10oe88IpTj4lNM0gXnjCTwZXQVKi1Uz9JNwgbaaYzUofoIP2CZjnvaRuOYs0d6gOPdtnykb2eWeS2dGifaFBhMq%2BTovxD1l5xXeH3tHvHNOaHU%2F7ARV55Dc9YfRvdX2zOOUhEp62CjCviT3FBfq3tK8eLfJ2mwSddoM%2FvxLRaudgcAE%2FiTTi0RrZN5feEmr54GKsqEohzoLCOWAVpxR0dUkQrUDuJVTdHHFSkuX%2FWnX7mWGXITM985Y282tuaPXm6LdfM5BRgxr0vV3YWCtcSJnXMLjKmqwGOp0B5x1g24OisxHRKZUaNxp9%2BSGjgOsFU3J%2Fbs39LZmb4y%2BP29AtY729%2BALyUGmbQ3ghX9X%2FHvfZiW7jkSIo533BZtqI2LeUKLMZGFRSS862V%2FwPY7aL9mQD2m03u7eiKl8%2BE2Kc5rYFMkJjjg%2BliR6dKkTaba%2FDuj%2FNE2de8W4Y9dFnibQCoicKOX5nhXD%2B3R8dFgBbmLV9RQDHhvlDPg%3D%3D&Expires=1703324736

Performs some HTTP requests (18 events)

request	GET http://47.236.140.86/s/twty.exe
request	GET http://5.42.64.35/InstallSetup3.exe
request	GET http://galandskiyher5.com/downloads/toolspub4.exe
request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request	GET http://api.ipify.org/?format=wet
request	GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=three&s=ab
request	GET http://5.42.64.35/syncUpd.exe
request	GET https://yip.su/RNWPd.exe
request	GET https://pastebin.com/raw/E0rY26ni
request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://iplogger.com/1gDcm4
request	GET https://randomdomainname.org/2cba948feb9c53fce4409f0079aec61c.exe
request	GET https://bitbucket.org/micaorrsoft/update/downloads/a01.exe
request	GET https://potatogoose.com/8c35a460636521ed0deef49f6749c0e3/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://budgienation.net/8c35a460636521ed0deef49f6749c0e3/2cba948feb9c53fce4409f0079aec61c.exe
request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request	GET https://bbuseruploads.s3.amazonaws.com/c653674a-68fa-46c6-b413-9e71a0a3be60/downloads/7cc5bf80-2f20-4024-8172-c47af249efe9/a01.exe?response-content-disposition=attachment%3B%20filename%3D%22a01.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLFZPBG6X&Signature=k4eYmK01rl8PGp4sOTTE04lteD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjELr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDzQD%2B3UL8xV1DvAUP2KA45yti0HItkJ7%2FZj%2BYPZQQy%2BAIgK%2BOaDvdrjmeM3oRZP0OlFI2Pl%2B7GauL9ExmwyykyfrwqpwIIQhAAGgw5ODQ1MjUxMDExNDYiDOob2cJxt3Exs6kaAiqEAh4UYnRFarCTXYvHT0WXfJIgVuJuVvzUOPIbUG1w3nq2Yphc6rTsOhGwJcQzKyRWF%2BFm10oe88IpTj4lNM0gXnjCTwZXQVKi1Uz9JNwgbaaYzUofoIP2CZjnvaRuOYs0d6gOPdtnykb2eWeS2dGifaFBhMq%2BTovxD1l5xXeH3tHvHNOaHU%2F7ARV55Dc9YfRvdX2zOOUhEp62CjCviT3FBfq3tK8eLfJ2mwSddoM%2FvxLRaudgcAE%2FiTTi0RrZN5feEmr54GKsqEohzoLCOWAVpxR0dUkQrUDuJVTdHHFSkuX%2FWnX7mWGXITM985Y282tuaPXm6LdfM5BRgxr0vV3YWCtcSJnXMLjKmqwGOp0B5x1g24OisxHRKZUaNxp9%2BSGjgOsFU3J%2Fbs39LZmb4y%2BP29AtY729%2BALyUGmbQ3ghX9X%2FHvfZiW7jkSIo533BZtqI2LeUKLMZGFRSS862V%2FwPY7aL9mQD2m03u7eiKl8%2BE2Kc5rYFMkJjjg%2BliR6dKkTaba%2FDuj%2FNE2de8W4Y9dFnibQCoicKOX5nhXD%2B3R8dFgBbmLV9RQDHhvlDPg%3D%3D&Expires=1703324736
request	GET https://iplogger.com/19hVA4

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

yip.su

description

Soviet Union domain TLD

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 544768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2684 region_size: 704512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2732 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2756 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2924 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0027c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 23, 2023, 6:17 p.m.	process_identifier: 2100 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Dec. 23, 2023, 6:17 p.m.	total_number_of_free_bytes: 9879339008 free_bytes_available: 9879339008 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 23, 2023, 6:17 p.m.	total_number_of_free_bytes: 9926508544 free_bytes_available: 9926508544 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 23, 2023, 6:17 p.m.	total_number_of_free_bytes: 9978843136 free_bytes_available: 9978843136 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 23, 2023, 6:17 p.m.	total_number_of_free_bytes: 9978843136 free_bytes_available: 9978843136 root_path: C: total_number_of_bytes: 34252779520	1	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (36 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb9F54Hr6tnRAYky1mxvduaW.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J2Bqka6WQUYC3C1oUt81SJN1.bat
file	C:\Users\test22\AppData\Local\Temp\nsuCF7.tmp\Zip.dll
file	C:\Users\test22\Pictures\xxVA1wFApK5K0025cO6LKkqR.exe
file	C:\Users\test22\Pictures\tOtcmAUyZOxR462do2YSqCR9.exe
file	C:\Users\test22\Pictures\ugttmv0bWvGn3XMEJXD45JlM.exe
file	C:\Users\test22\AppData\Local\DeBd4uPAuFJQkbEv8hWmHCy8.exe
file	C:\Users\test22\Pictures\GuMIRR01ABdwlRPjBwLToenr.exe
file	C:\Users\test22\AppData\Local\KHsHcRv0GeWg5yK9vZcIV01Q.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk
file	C:\Users\test22\AppData\Local\zU95NkXKdJdIDSwnGhuAJ8U8.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0MxHFtTk4hqHtWhmgF3yO6er.bat
file	C:\Users\test22\Pictures\SS6Yx9EBpDnr7H5AwiVDv6Bl.exe
file	C:\Users\test22\Pictures\ioi8yd2UPb6FG1ufkh1HC1to.exe
file	C:\Program Files (x86)\ClocX\BackupAlarms.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eq7MXwvYoaVKP6PO5U4o8UMy.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zrs0ntUAYLSq91SSl1lxHJbS.bat
file	C:\Users\test22\Pictures\Opera_installer_2312231557071713008.dll
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\9uGBJAt4sFywx5x5cpcqt0oY.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LWK3Fl3zoxwTQG3xqCVkHJDh.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R09kR5er53bKBiz8S4wdhScp.bat
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2312231557071563008.dll
file	C:\Users\test22\AppData\Local\Temp\nsj2581.tmp\INetC.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
file	C:\Users\test22\AppData\Local\Temp\nsuCF7.tmp\Checker.dll
file	C:\Program Files (x86)\ClocX\uninst.exe
file	C:\Users\test22\AppData\Local\mEfQBOR8XUDlt33AZtNXgKrt.exe
file	C:\Users\test22\AppData\Local\uakGeV2JFr2R8DTRJcfdguCZ.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KYU3wTLqhy8tYNqsWDQ6eJoO.bat
file	C:\Users\test22\Pictures\gqMkx4er7nBoRiuXIngJdzJX.exe
file	C:\Users\test22\Pictures\jkBSx0PNHElKEPX505wphL5k.exe
file	C:\Users\test22\AppData\Local\Temp\nsx392A.tmp.exe
file	C:\Program Files (x86)\ClocX\ClocX.exe
file	C:\Users\test22\AppData\Local\gocTeRJBTnUbC5AL5bDyKyry.exe
file	C:\Users\test22\AppData\Local\6nkS82JQPZQDsCMh6Ej5QIOV.exe

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk

Drops an executable to the user AppData folder (17 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\6nkS82JQPZQDsCMh6Ej5QIOV.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\zU95NkXKdJdIDSwnGhuAJ8U8.exe
file	C:\Users\test22\AppData\Local\Temp\nsuCF7.tmp\Checker.dll
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\uakGeV2JFr2R8DTRJcfdguCZ.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\nsx392A.tmp.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\mEfQBOR8XUDlt33AZtNXgKrt.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\nsj2581.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\nsuCF7.tmp\Zip.dll
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\ioi8yd2UPb6FG1ufkh1HC1to.exe parameters: filepath: C:\Users\test22\Pictures\ioi8yd2UPb6FG1ufkh1HC1to.exe		0
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\gqMkx4er7nBoRiuXIngJdzJX.exe parameters: filepath: C:\Users\test22\Pictures\gqMkx4er7nBoRiuXIngJdzJX.exe		0
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\ugttmv0bWvGn3XMEJXD45JlM.exe parameters: filepath: C:\Users\test22\Pictures\ugttmv0bWvGn3XMEJXD45JlM.exe	1	1
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\SS6Yx9EBpDnr7H5AwiVDv6Bl.exe parameters: filepath: C:\Users\test22\Pictures\SS6Yx9EBpDnr7H5AwiVDv6Bl.exe	1	1
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\jkBSx0PNHElKEPX505wphL5k.exe parameters: filepath: C:\Users\test22\Pictures\jkBSx0PNHElKEPX505wphL5k.exe	1	1
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\xxVA1wFApK5K0025cO6LKkqR.exe parameters: filepath: C:\Users\test22\Pictures\xxVA1wFApK5K0025cO6LKkqR.exe	1	1
ShellExecuteExW Dec. 23, 2023, 6:16 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\tOtcmAUyZOxR462do2YSqCR9.exe parameters: filepath: C:\Users\test22\Pictures\tOtcmAUyZOxR462do2YSqCR9.exe	1	1
ShellExecuteExW Dec. 23, 2023, 6:17 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\GuMIRR01ABdwlRPjBwLToenr.exe parameters: --silent --allusers=0 filepath: C:\Users\test22\Pictures\GuMIRR01ABdwlRPjBwLToenr.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 23, 2023, 6:16 p.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 61440 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 23, 2023, 6:16 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process totcmauyzoxr462do2ysqcr9.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 23, 2023, 6:17 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $¤© ßÅÇóßÅÇóßÅÇóÁCóöÅÇóÁRóÅÅÇóÁDóPÅÇóø¼óØÅÇóßÅÆóXÅÇóÁMóÞÅÇóÁSóÞÅÇóÁVóÞÅÇóRichßÅÇóPEL³EÓcà HX!`@à"ïlP ¥`(.textGH `.rdata 8`:L@@.datah &@À.jodozA¬@À.rsrc µ ¦°@@ ÃÌÌÌÌÌÌÌÌÌÌÌÙîéËÊÌÌÌÌÌÌÌÌÌÙîìÝ$ècÉÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ3ÉÇ@HHÃ~rFPè( Ä3ÀÇFFFÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ\|$t~rFPèñ ÄÇFÇFÆFÂÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌ3ÉxHr@ÃHÃÌÌÌÌÌÌÌÌÌÌÌxr@ÃÀÃÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌPè YÃÌÌÌÌÌÌÌÌjPjVèw ÄÆÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌQD$YÃÌÿ%Ø`Cÿ%Ð`Cÿ%Ì`Cÿ%È`Cÿ%Ä`Cÿ%l`Cÿ%`Cÿ%`Cÿ% `Cÿ%$`Cÿ%(`Cÿ%,`Cÿ%0`Cÿ%4`Cÿ%8`Cÿ%<`Cÿ%@`Cÿ%D`Cÿ%H`Cÿ%L`Cÿ%P`Cÿ%T`Cÿ%X`Cÿ%\`Cÿ%``Cÿ%d`Cÿ%h`Cÿ%Ô`Cÿ%p`Cÿ%t`Cÿ%x`Cÿ%\|`Cÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ% `Cÿ%¤`Cÿ%¨`Cÿ%¬`Cÿ%°`Cÿ%´`Cÿ%bCÿ% bCÿ%`Cÿ%`Cÿ%`Cÿ%`Cÿ%`C; CuóÃéÿUìì S3Û9]uèSSSSSÇèÄÈÿëME;ÃtÜVEèEàEPSÿuEàPÇEäÿÿÿÇEìBè¿ÄÿMäðxEàëEàPSèYYÆ^[ÉÃÿUìEPÿuÿuÿuèÿÄ]ÃÿUìEPjÿuÿuÿuèa"Ä]ÃÿUìEPÿuÿuÿuÿuèB"Ä]ÃÿUìEPjÿuÿuÿuÿuèÆ"Ä]ÃÿUìEPÿuÿuÿuÿuÿuè¤"Ä]ÃÿUìEPjÿuÿuÿuèÖ#Ä]ÃÿUìEPÿuÿuÿuÿuè·#Ä]ÃÿUìEPÿuè YY]ÃÿUìEPÿuè? YY]ÃÿUìEPÿuÿuè Ä]ÃÿUìEPÿuÿuè Ä]ÃÿUìQeüVEüPÿuÿuèf#ðÄöu9EütèËÀt èÂMüÆ^ÉÃjh Cè &3À3ö9uÀ;ÆuèÇVVVVVèÄÈÿë8è"$PVè3%YYuüÿuÿuÿuè$PÿUÄEäÇEüþÿÿÿèEäèæ%Ã3öèâ#PVèa%YYÃÿUìEPjÿuhr=@èbÿÿÿÄ]ÃÿUìEPÿuÿuhr=@èDÿÿÿÄ]ÃÿUìEPjÿuhEM@è'ÿÿÿÄ]ÃÿUìEPÿuÿuhEM@è ÿÿÿÄ]ÃÿUìj jÿuèKÄ]ÃÿUìÿuj jÿuè&KÄ]ÃÿUì]éÆÿÿÿÿUì]éÑÿÿÿÿUìj jÿuè÷MÄ]ÃÿUìÿuj jÿuè NÄ]ÃjhÀCè$3Û]ä3À};ûÀ;Ãuè$ÇSSSSSèÄ3Àëy3Àu;óÀ;ÃtÖ3À8À;ÃtËèÚPE;Ãu èãÇëÊ]ü8u èÏÇjþEðPh CèÞQÄë£PÿuVWèËMÄEäÇEüþÿÿÿè Eäè1$Ãÿuèv#YÃÿUìj@ÿuÿuèÿÿÿÄ]ÃÿUìVW}3ö;þuèXj_VVVVV8èÆÄÇë$hÿuÿuèêþÿÿÄ;Æt3Àëè _^]ÃÿUìì S3Û9]u èSSSSSÇèrÄÈÿéÅVuW};ût$;óu èÕSSSSSÇèBÄÈÿéÇEìBuèuàÿÿÿÿ?v ÇEäÿÿÿë?EäÿuEàÿuÿuPÿUÄE;ótU;Ã\|BÿMäx EàÿEàëEàPSèT YYøÿt"ÿMäxEàëEàPSè7 YYøÿtEë3À9]äfD~þÀHH_^[ÉÃÿUìÿujÿuÿuÿuhýi@èëþÿÿÄÀ}Èÿ]ÃÿUìÿuÿuÿuÿuÿuhýi@èÁþÿÿÄÀ}Èÿ]ÃÿUìV3ö9uuè½VVVVVÇèÄÈÿë^W};þt9uw èÇë3ÿuÿuÿuÿuWhçu@èZþÿÿÄ;Æ}3Éføþuè^Ç"VVVVVèËÄÈÿ_^]ÃÿUìÿujÿuÿuÿuè]ÿÿÿÄ]ÃÿUìS3Û9]u èSSSSSÇèÄÈÿéÜVuW9]u;óu9]u3ÀéÀ;ót};ûwèÐÇéèÀÿuÿuÿu;}v-8E@PVhçu@èýÿÿÄøþuKè8"ukè8ëbWVhçu@è]ýÿÿ3ÉÄfL~þøþu}ÿuè]8"u5èSë,3Û;Ã})ë3Û3Éføþuè6Ç"SSSSSè£ÄÈÿ_^[]ÃÿUìÿujÿuÿuÿuÿuèÙþÿÿÄ]ÃÿUìÿujÿuÿuÿuhÝ@èÄüÿÿÄÀ}Èÿ]ÃÿUìÿuÿuÿuÿuÿuhÝ@èüÿÿÄÀ}Èÿ]ÃÿUì]é{ÿUìVuW3ÿ;÷u3Àëe9}uèj^0WWWWWèíÄÆëE9}t9urVÿuÿuèÔ{ÄëÁÿuWÿuèC{Ä9}t¶9usè0j"YñëjX_^]ÃÿUìEV3ö;ÆuèVVVVVÇèyÄ3Àë@à^]ÃÿUìEV3ö;ÆuèØVVVVVÇèEÄ3Àë@à ^]ÃÿUìW¿èWÿà`CÿuÿÜ`CÇèÿ`êwÀtÞ_]ÃÿUìèÇÿuèîÿ5 Cèæ~hÿÿÐÄ]ÃÿUìhbCÿÜ`CÀthpbCPÿä`CÀtÿuÿÐ]ÃÿUì request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c5400', u'virtual_address': u'0x001a1000', u'entropy': 7.9995886243743435, u'name': u'UPX1', u'virtual_size': u'0x000c6000'}

entropy

7.99958862437

description

A section with a high entropy has been found

entropy

0.996212121212

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 3a31887beb9adfae8689b20125e74f0627e02543

Communicates with host for which no DNS query was performed (3 events)

host	47.236.140.86
host	5.42.64.35
host	91.92.254.7

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 23, 2023, 6:09 p.m.	process_identifier: 2400 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ec	1	0	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Installs itself for autorun at Windows startup (8 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cb9F54Hr6tnRAYky1mxvduaW.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R09kR5er53bKBiz8S4wdhScp.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J2Bqka6WQUYC3C1oUt81SJN1.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zrs0ntUAYLSq91SSl1lxHJbS.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eq7MXwvYoaVKP6PO5U4o8UMy.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0MxHFtTk4hqHtWhmgF3yO6er.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LWK3Fl3zoxwTQG3xqCVkHJDh.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KYU3wTLqhy8tYNqsWDQ6eJoO.bat

Drops a binary and executes it (3 events)

file	C:\Users\test22\Pictures\ioi8yd2UPb6FG1ufkh1HC1to.exe
file	C:\Users\test22\Pictures\SS6Yx9EBpDnr7H5AwiVDv6Bl.exe
file	C:\Users\test22\Pictures\xxVA1wFApK5K0025cO6LKkqR.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Drops 157 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 157 events)

file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Users\test22\AppData\Local\gocTeRJBTnUbC5AL5bDyKyry.exe
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file	C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Windows\Prefetch\ReadyBoot\Trace4.fx

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 448 events)

file	C:\Users\test22\Pictures\Opera_installer_2312231557071713008.dll
file	C:\Users\test22\AppData\Local\Temp\nsj2580.tmp
file	C:\Users\test22\AppData\Local\Temp\nsj2581.tmp
file	C:\Users\test22\AppData\Local\Temp\nsx1FC3.tmp
file	C:\Users\test22\AppData\Local\Temp\nsj2581.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\syncUpd[1].exe
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	c:\Windows\Temp\TS_7FC6.tmp
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file	C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	c:\Windows\Temp\TS_88E1.tmp
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\554576[1].htm

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2336 resumed a thread in remote process 2400
NtResumeThread Dec. 23, 2023, 6:09 p.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 2400	1	0	0

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 23, 2023, 6:16 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Injuke.16!c
MicroWorld-eScan	Gen:Variant.Lazy.425526
Skyhigh	BehavesLike.Win64.Suspicioustrojan.bc
McAfee	Artemis!E0BC2140D5A1
Cylance	unsafe
VIPRE	Gen:Variant.Lazy.425526
Sangfor	Trojan.Win32.Kryptik.Vigk
Alibaba	Malware:Win32/km_28121.None
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win64/Kryptik.EDP
Kaspersky	UDS:Trojan-Spy.Win32.Windigo.bhr
BitDefender	Gen:Variant.Lazy.425526
Avast	Win64:PWSX-gen [Trj]
Emsisoft	Gen:Variant.Lazy.425526 (B)
FireEye	Gen:Variant.Lazy.425526
Ikarus	Trojan.Win64.Krypt
Google	Detected
Microsoft	Trojan:Win32/Wacatac.B!ml
Arcabit	Trojan.Lazy.D67E36
ZoneAlarm	UDS:Trojan-Spy.Win32.Windigo.bhr
GData	Gen:Variant.Lazy.425526
ALYac	Gen:Variant.Lazy.425526
MAX	malware (ai score=82)
Malwarebytes	Generic.Malware/Suspicious
Fortinet	W64/GenKryptik.WQDW!tr
AVG	Win64:PWSX-gen [Trj]
Cybereason	malicious.ebd066

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

194.49.94.85:443

Rby1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All