Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 10:14 a.m.	May 12, 2021, 10:21 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`c6b9737dd5705a2ac1920c5cbac89abf`
SHA256	`ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a`
CRC32	`8D8927BA`
ssdeep	`24576:v1qUuXZrleK2Jsz7vYTF6TdpnF1eVJix3wq8OZ9+aLTeX0OWBF:v1qUuXeTc7gTsT/ugww99Pey`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

bella.txt "C:\Users\test22\AppData\Local\Temp\bella.txt"
2648
- makecab.exe "C:\Windows\System32\makecab.exe"
  2240
- cmd.exe "C:\Windows\System32\cmd.exe" /c iqNOHdjFJRyhysPKrZOyDFL & okDksJPSlGbcVRHiSeznxx & hAaVTUKoBgyGcM & gqwjrmT & cmd < Estate.wms
  2744
  - cmd.exe cmd
    1976
    - findstr.exe findstr /V /R "^IRYjqEeSlHqUOmgNEQyuRToTmXianaMtsAbasYwuofIOxmdrAdyKMFuPItNebJxSVVDheWcGOYXClxmZHrSojeaLxIJhlZImVQSnVewEUmVNHEEgENczQjFTDRTzjocPdnGzBwrEwghMuFtPrc$" Tele.wms
      2672
    - Diritto.exe.com Diritto.exe.com o
      2696
      - Diritto.exe.com C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com o
        2576
        
        schtasks.exe schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM
        2524
    - PING.EXE ping 127.0.0.1 -n 30
      1768

Name	Response	Post-Analysis Lookup
KxYGnlNPQkvockntKh.KxYGnlNPQkvockntKh

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 12, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0

Command line console output was observed (50 out of 2357 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: b console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: k console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: L console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: D console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: T console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: K console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: E console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: B console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: V console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: D console_handle: 0x00000007	1	1
WriteConsoleA May 12, 2021, 10:14 a.m.	buffer: v console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 10:14 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 12, 2021, 10:15 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7746f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7746f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7741df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757314dd diritto+0x32e04 @ 0xca2e04 diritto+0x201f8 @ 0xc901f8 diritto+0x70221 @ 0xce0221 diritto+0x1a93e @ 0xc8a93e diritto+0x1a8df @ 0xc8a8df diritto+0x1a93e @ 0xc8a93e diritto+0x1a93e @ 0xc8a93e diritto+0x12d7d @ 0xc82d7d diritto+0xe046 @ 0xc7e046 diritto+0x124b9 @ 0xc824b9 diritto+0x55d6c @ 0xcc5d6c diritto+0x13423 @ 0xc83423 diritto+0xe453 @ 0xc7e453 diritto+0xdef7 @ 0xc7def7 diritto+0x3432 @ 0xc73432 diritto+0x292d @ 0xc7292d diritto+0x20913 @ 0xc90913 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7746e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7746e653 registers.esp: 7468224 registers.edi: 52370864 registers.eax: 7468240 registers.ebp: 7468344 registers.edx: 0 registers.ebx: 0 registers.esi: 15335424 registers.ecx: 2147483647	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 12, 2021, 10:15 a.m.

stacktrace:

RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7746f559
RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7746f639
RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7741df95
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757314dd
diritto+0x32e04 @ 0xca2e04
diritto+0x201f8 @ 0xc901f8
diritto+0x70221 @ 0xce0221
diritto+0x1a93e @ 0xc8a93e
diritto+0x1a8df @ 0xc8a8df
diritto+0x1a93e @ 0xc8a93e
diritto+0x1a93e @ 0xc8a93e
diritto+0x12d7d @ 0xc82d7d
diritto+0xe046 @ 0xc7e046
diritto+0x124b9 @ 0xc824b9
diritto+0x55d6c @ 0xcc5d6c
diritto+0x13423 @ 0xc83423
diritto+0xe453 @ 0xc7e453
diritto+0xdef7 @ 0xc7def7
diritto+0x3432 @ 0xc73432
diritto+0x292d @ 0xc7292d
diritto+0x20913 @ 0xc90913
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff
exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653
exception.instruction: jmp 0x7746e667
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 845395
exception.address: 0x7746e653
registers.esp: 7468224
registers.edi: 52370864
registers.eax: 7468240
registers.ebp: 7468344
registers.edx: 0
registers.ebx: 0
registers.esi: 15335424
registers.ecx: 2147483647

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:15 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 12, 2021, 10:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13726990336 root_path: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\gXjmjGiawO\RAYkwQXp.js
file	C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com
file	C:\Users\test22\AppData\Roaming\gXjmjGiawO\xNBSMJllYe.exe.com

Creates a suspicious process (2 events)

cmdline	schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM
cmdline	"C:\Windows\System32\cmd.exe" /c iqNOHdjFJRyhysPKrZOyDFL & okDksJPSlGbcVRHiSeznxx & hAaVTUKoBgyGcM & gqwjrmT & cmd < Estate.wms

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\gXjmjGiawO\xNBSMJllYe.exe.com

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 12, 2021, 10:14 a.m.	show_type: 0 filepath_r: makecab.exe parameters: filepath: makecab.exe	1	1	0
ShellExecuteExW May 12, 2021, 10:14 a.m.	show_type: 0 filepath_r: cmd parameters: /c iqNOHdjFJRyhysPKrZOyDFL & okDksJPSlGbcVRHiSeznxx & hAaVTUKoBgyGcM & gqwjrmT & cmd < Estate.wms filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003e00', u'virtual_address': u'0x00023000', u'entropy': 7.463100985131687, u'name': u'.rsrc', u'virtual_size': u'0x00003c3d'}

entropy

7.46310098513

description

A section with a high entropy has been found

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping 127.0.0.1 -n 30
cmdline	schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fa8993cd5c1edb73143de64e8fcd68657af606f1

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 12, 2021, 10:15 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 278528 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 process_handle: 0x00000218	1	0	0

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 manipulating memory of non-child process 2480
NtAllocateVirtualMemory May 12, 2021, 10:15 a.m.	process_identifier: 2480 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00100000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0	0
NtProtectVirtualMemory May 12, 2021, 10:15 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 278528 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 process_handle: 0x00000218	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 injected into non-child 2480
WriteProcessMemory May 12, 2021, 10:15 a.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2480 process_handle: 0x00000218	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 called NtSetContextThread to modify thread in remote process 2480
NtSetContextThread May 12, 2021, 10:15 a.m.	registers.eip: 2000355780 registers.esp: 3735328 registers.edi: 0 registers.eax: 1309934 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2480	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1976 resumed a thread in remote process 2696
NtResumeThread May 12, 2021, 10:14 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2696	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread May 12, 2021, 10:14 a.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 2244 thread_handle: 0x000002b8 process_identifier: 2240 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: C:\Windows\System32\makecab.exe track: 1 command_line: "C:\Windows\System32\makecab.exe" filepath_r: C:\Windows\System32\makecab.exe stack_pivoted: 0 creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c0	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 2084 thread_handle: 0x000002c8 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c iqNOHdjFJRyhysPKrZOyDFL & okDksJPSlGbcVRHiSeznxx & hAaVTUKoBgyGcM & gqwjrmT & cmd < Estate.wms filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 2044 thread_handle: 0x0000008c process_identifier: 1976 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 1632 thread_handle: 0x0000008c process_identifier: 2672 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /V /R "^IRYjqEeSlHqUOmgNEQyuRToTmXianaMtsAbasYwuofIOxmdrAdyKMFuPItNebJxSVVDheWcGOYXClxmZHrSojeaLxIJhlZImVQSnVewEUmVNHEEgENczQjFTDRTzjocPdnGzBwrEwghMuFtPrc$" Tele.wms filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 2572 thread_handle: 0x00000090 process_identifier: 2696 current_directory: filepath: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com track: 1 command_line: Diritto.exe.com o filepath_r: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
NtResumeThread May 12, 2021, 10:14 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2696	1	0
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 888 thread_handle: 0x00000094 process_identifier: 1768 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 30 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 808 thread_handle: 0x0000012c process_identifier: 2576 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com o filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW May 12, 2021, 10:14 a.m.	thread_identifier: 2356 thread_handle: 0x00000208 process_identifier: 2524 current_directory: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY filepath: track: 1 command_line: schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\test22\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000210	1	1
CreateProcessInternalW May 12, 2021, 10:15 a.m.	thread_identifier: 2760 thread_handle: 0x00000210 process_identifier: 2480 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\RegAsm.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000218	1	1
NtGetContextThread May 12, 2021, 10:15 a.m.	thread_handle: 0x00000210	1	0
NtAllocateVirtualMemory May 12, 2021, 10:15 a.m.	process_identifier: 2480 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00100000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0
WriteProcessMemory May 12, 2021, 10:15 a.m.	buffer: base_address: 0x00100000 process_identifier: 2480 process_handle: 0x00000218	1	1
WriteProcessMemory May 12, 2021, 10:15 a.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2480 process_handle: 0x00000218	1	1
NtSetContextThread May 12, 2021, 10:15 a.m.	registers.eip: 2000355780 registers.esp: 3735328 registers.edi: 0 registers.eax: 1309934 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2480	1	0
NtResumeThread May 12, 2021, 10:14 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1768	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.36786598
FireEye	Generic.mg.c6b9737dd5705a2a
McAfee	Artemis!C6B9737DD570
Cylance	Unsafe
Sangfor	Trojan.Win32.Wacatac.B
K7AntiVirus	Trojan ( 0057a8111 )
Alibaba	Backdoor:Win32/Generic.3334f9f3
K7GW	Trojan ( 0057a8111 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Agent.ACXU
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Backdoor.Win32.Agent.mytzxr
BitDefender	Trojan.GenericKD.36786598
Rising	Trojan.HiddenRun/SFX!1.D52F (CLASSIC)
Ad-Aware	Trojan.GenericKD.36786598
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R011C0WDR21
McAfee-GW-Edition	BehavesLike.Win32.Ransomware.tc
Emsisoft	Trojan.GenericKD.36786598 (B)
Avira	HEUR/AGEN.1142826
MAX	malware (ai score=82)
Gridinsoft	Trojan.Win32.Agent.ns
Microsoft	Trojan:Win32/Tnega!ml
AegisLab	Trojan.Win32.Agent.m!c
GData	Trojan.GenericKD.36786598
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4447355
ALYac	Trojan.GenericKD.36786598
VBA32	Backdoor.Agent
Malwarebytes	Trojan.Dropper.Generic
TrendMicro-HouseCall	TROJ_GEN.R011C0WDR21
Tencent	Win32.Backdoor.Agent.Szvd
Fortinet	W32/Agent.ACXU!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

bella.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All