Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.19 08:04
responsive.bootstrap4.css
04.19 08:04
AdminLTE.css
04.19 08:04
fontawesome-all.min.css
04.19 08:04
daterangepicker.css
04.19 08:04
dataTables.bootstrap4.css
04.19 08:04
jquery-migrate-1.2.1.j...
04.19 08:04
CommonResponsive.js.po...
04.19 08:04
jquery-ui.js.pobrane
04.19 08:04
jquery-3.0.0.js.pobrane
04.19 08:04
jquery.alerts.js.pobrane

Latest News
04.19 09:04
USA: Doge soll an umfa...
04.19 09:04
Don’t be so quick to c...
04.19 09:04
NDPC, Health Ministry ...
04.19 08:04
How To Hunt Web And Ne...
04.19 08:04
Will it Run Llama 2? N...
04.19 07:04
ASUS Confirms Critical...
04.19 07:04
Florida Man Enters the...
04.19 05:04
Kooperation für Krisen...
04.19 05:04
Open Source DMR Radio
04.19 05:04
Uncovering Device Acti...

Summary | ZeroBOX

EVEGBPOK.msi

CAB MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 15, 2025, 9:39 a.m.	April 15, 2025, 9:47 a.m.

Size	4.7MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Alloy, Author: Fry Prophet, Keywords: Installer, Comments: This installer database contains the logic and data required to install Alloy., Template: Intel;1033, Revision Number: {8E117227-FACE-47F9-B409-3DF8EF23F251}, Create Time/Date: Thu Apr 10 10:57:28 2025, Last Saved Time/Date: Thu Apr 10 10:57:28 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
MD5	`b7ebb3cd13958da87889abf3e15c99c8`
SHA256	`c66dd45611ef08f003d959555d0172a269f679e7fc4333c3596f30d1806aea1d`
CRC32	`6BE0231E`
ssdeep	`98304:Gc1agUWKRHzkXiy0q8cWzQ/BP94duNdcpUhpLPqiS:LanW+HzYT0r0t9midcahpM`
Yara	CAB_file_format - CAB archive file Microsoft_Office_File_Zero - Microsoft Office File

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\EVEGBPOK.msi
2548
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
_googlecast._tcp.local
translate.googleapis.com	A 142.250.199.202	142.250.207.106
www.gstatic.com	A 142.250.198.131	142.250.206.227
clientservices.googleapis.com	A 142.250.71.163	172.217.161.195

IP Address	Status	Action
142.250.198.131	Active	Moloch
142.250.199.202	Active	Moloch
142.250.71.163	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 142.250.71.163:443	906200038	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Adware)	undefined
TCP 192.168.56.101:49164 -> 142.250.199.202:443	906200038	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Adware)	undefined
TCP 192.168.56.101:49171 -> 142.250.198.131:443	906200038	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Adware)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 142.250.71.163:443	C=US, O=Google Trust Services, CN=WE2	CN=upload.video.google.com	62:3a:f6:bd:3a:0b:ed:3b:16:28:ba:75:d2:00:cf:50:37:6c:20:50
TLS 1.2 192.168.56.101:49164 142.250.199.202:443	C=US, O=Google Trust Services, CN=WE2	CN=upload.video.google.com	62:3a:f6:bd:3a:0b:ed:3b:16:28:ba:75:d2:00:cf:50:37:6c:20:50
TLS 1.2 192.168.56.101:49171 142.250.198.131:443	C=US, O=Google Trust Services, CN=WE2	CN=*.gstatic.com	2b:99:7d:02:90:41:d5:25:94:22:ae:76:27:0d:25:da:df:d2:0a:f1

Queries for the computername (3 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 15, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA April 15, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 15, 2025, 9:39 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 15, 2025, 9:39 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 15, 2025, 9:39 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac4000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bc1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ba1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72881000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72872000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:33 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 15, 2025, 9:39 a.m.	total_number_of_free_bytes: 13316190208 free_bytes_available: 13316190208 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW April 15, 2025, 9:39 a.m.	number_of_free_clusters: 3251023 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW April 15, 2025, 9:39 a.m.	total_number_of_free_bytes: 13316190208 free_bytes_available: 13316190208 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW April 15, 2025, 9:39 a.m.	number_of_free_clusters: 3251023 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1	0
LookupPrivilegeValueW April 15, 2025, 9:39 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

ESET-NOD32	Win32/TrojanDownloader.Rugmi.ARD
Cynet	Malicious (score: 99)
Rising	Trojan.HijackLoader!1.12810 (CLASSIC)
F-Secure	Trojan.TR/Dldr.Rugmi.jwcoc
Google	Detected
Avira	TR/Dldr.Rugmi.jwcoc
GData	Generic.Trojan.Agent.C0OQYY
VBA32	BScope.TrojanPSW.Lumma
Ikarus	Trojan-Downloader.Win32.Rugmi
Fortinet	W32/Rugmi.ARD!tr.dldr