Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 11, 2021, 2:59 p.m.	Sept. 11, 2021, 3:07 p.m.

Size	58.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b53466259125d66deb6ef9d787fa1b13`
SHA256	`5fae9e2f6fc2e95b5f6be3c8c0d3a76cebf18a2526913d21c67bb98be35f8247`
CRC32	`052C7B3D`
ssdeep	`1536:pzQjJuw3c6hqh1kJaJrNKx5tzzevaCpzqFFzWcXdqu7mOYhngYFD:hQduF60Q0X036aCBqXcY6tgYFD`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

r33.exe "C:\Users\test22\AppData\Local\Temp\r33.exe"
2100
- 1632528044.exe C:\Users\test22\AppData\Local\Temp\1632528044.exe
  1168

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 127.0.0.1	127.0.0.1
www.update.microsoft.com	A 52.185.71.28 CNAME redir.update.microsoft.com.nsatc.net CNAME www.update.microsoft.com.nsatc.net	52.137.90.34

IP Address	Status	Action
109.110.169.72	Active	Moloch
109.200.175.189	Active	Moloch
109.238.179.30	Active	Moloch
109.74.46.59	Active	Moloch
128.65.179.120	Active	Moloch
151.232.108.62	Active	Moloch
154.41.3.119	Active	Moloch
164.124.101.2	Active	Moloch
176.210.80.7	Active	Moloch
185.215.113.66	Active	Moloch
185.215.113.84	Active	Moloch
188.158.96.194	Active	Moloch
195.181.24.186	Active	Moloch
2.135.238.38	Active	Moloch
213.230.73.39	Active	Moloch
217.219.230.200	Active	Moloch
39.45.148.120	Active	Moloch
39.60.41.243	Active	Moloch
42.248.182.132	Active	Moloch
42.248.182.220	Active	Moloch
42.248.183.170	Active	Moloch
42.248.183.34	Active	Moloch
45.157.102.112	Active	Moloch
5.227.212.94	Active	Moloch
5.232.240.174	Active	Moloch
5.236.196.254	Active	Moloch
52.185.71.28	Active	Moloch
62.209.132.199	Active	Moloch
78.38.107.89	Active	Moloch
80.80.223.226	Active	Moloch
87.202.76.185	Active	Moloch
89.236.216.4	Active	Moloch
91.92.189.39	Active	Moloch
91.98.216.220	Active	Moloch
93.117.42.214	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.66:48755 -> 192.168.56.102:49165	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 185.215.113.84:80 -> 192.168.56.102:49166	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.102:49166 -> 185.215.113.84:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.215.113.84:80 -> 192.168.56.102:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.84:80 -> 192.168.56.102:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 11, 2021, 2:59 p.m.			0	0
IsDebuggerPresent Sept. 11, 2021, 3:06 p.m.			0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.215.113.84/twzt.exe

Performs some HTTP requests (1 event)

request

GET http://185.215.113.84/twzt.exe

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (32 events)

ip	109.74.46.59
ip	185.215.113.66
ip	195.181.24.186
ip	217.219.230.200
ip	42.248.183.34
ip	5.227.212.94
ip	5.232.240.174
ip	62.209.132.199
ip	78.38.107.89
ip	91.92.189.39
ip	109.110.169.72
ip	109.200.175.189
ip	109.238.179.30
ip	128.65.179.120
ip	151.232.108.62
ip	154.41.3.119
ip	176.210.80.7
ip	188.158.96.194
ip	2.135.238.38
ip	213.230.73.39
ip	39.45.148.120
ip	39.60.41.243
ip	42.248.182.132
ip	42.248.182.220
ip	42.248.183.170
ip	45.157.102.112
ip	5.236.196.254
ip	80.80.223.226
ip	87.202.76.185
ip	89.236.216.4
ip	91.98.216.220
ip	93.117.42.214

A process attempted to delay the analysis task. (1 event)

description

r33.exe tried to sleep 135 seconds, actually delayed analysis time by 134 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\1632528044.exe

Creates hidden or system file (50 out of 112 events)

Time & API	Arguments	Status
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001e8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000248 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000024c filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\cmdcfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\cmdcfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003c8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000348 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1
NtCreateFile Sept. 11, 2021, 3:01 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003d8 filepath: C:\Users\test22\nodescfg.dat desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\nodescfg.dat create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 3 (FILE_OVERWRITTEN) share_access: 0 ()	1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\1632528044.exe

An executable file was downloaded by the process r33.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 11, 2021, 3 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $G %óÁK ÁK ÁK {³J¡ÁK ÀÎ ÁK ÀÎ ÁK ÀÎD ÁK $& ÁK ÁJ µÁK $0 ÁK Â $ÁK Ú ÁK RichÁK PELWå;aà ÖJXð@@,ðü.texttÔÖ request_handle: 0x00cc000c	1	1	0

Communicates with host for which no DNS query was performed (33 events)

host	109.110.169.72
host	109.200.175.189
host	109.238.179.30
host	109.74.46.59
host	128.65.179.120
host	151.232.108.62
host	154.41.3.119
host	176.210.80.7
host	185.215.113.66
host	185.215.113.84
host	188.158.96.194
host	195.181.24.186
host	2.135.238.38
host	213.230.73.39
host	217.219.230.200
host	39.45.148.120
host	39.60.41.243
host	42.248.182.132
host	42.248.182.220
host	42.248.183.170
host	42.248.183.34
host	45.157.102.112
host	5.227.212.94
host	5.232.240.174
host	5.236.196.254
host	62.209.132.199
host	78.38.107.89
host	80.80.223.226
host	87.202.76.185
host	89.236.216.4
host	91.92.189.39
host	91.98.216.220
host	93.117.42.214

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service	reg_value	C:\Users\test22\winupdsvcs.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service	reg_value	C:\Windows\winsvcscu.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service	reg_value	C:\Users\test22\winsvcscu.exe

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\1632528044.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\r33.exe:Zone.Identifier

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

52.185.71.28:80

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	RDN/Generic.rp
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 0058207e1 )
Arcabit	Generic.Malware.SF.14F139F2
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.AS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Dropped:Generic.Malware.SF.14F139F2
MicroWorld-eScan	Dropped:Generic.Malware.SF.14F139F2
Avast	Win32:KadrBot [Trj]
Rising	Worm.Phorpiex!1.D985 (CLASSIC)
Ad-Aware	Dropped:Generic.Malware.SF.14F139F2
Emsisoft	Dropped:Generic.Malware.SF.14F139F2 (B)
F-Secure	Worm.WORM/Phorpiex.biwgu
DrWeb	DLOADER.Trojan
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.qh
FireEye	Generic.mg.b53466259125d66d
Sophos	Mal/Generic-S
Ikarus	Worm.Win32.Phorpiex
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Dropped:Generic.Malware.SF.14F139F2
VBA32	BScope.Trojan.Hynamer
ALYac	Dropped:Generic.Malware.SF.14F139F2
MAX	malware (ai score=81)
Cylance	Unsafe
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_66%
Fortinet	W32/Phorpiex.AS!tr
BitDefenderTheta	AI:Packer.0C683F6C1E
AVG	Win32:KadrBot [Trj]
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

r33.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All