Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 21, 2025, 9:02 a.m.	March 21, 2025, 9:08 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`17ffd8a0d8bf24a59671db67e0910e80`
SHA256	`fa6ec12f35910f73e041be58cd4ac6b7b1ae836879e2960f6d38fc66e2f870c5`
CRC32	`ECBB8304`
ssdeep	`24576:Y7Xq053vvr3puceyFtyPLmE5APTE6LCTRny15RGmff3+fxXNfgM:8Dv6BAbEAMnyvR9Xcxd4M`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

cvvs.exe "C:\Users\test22\AppData\Local\Temp\cvvs.exe"
2564
- cmd.exe cmd /c ""C:\\Users\\All Users\\4596.cmd""
  2720
  - esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    2840
- cmd.exe cmd /c ""C:\\Users\\All Users\\28467.cmd""
  2776
  - PING.EXE ping 127.0.0.1 -n 10
    2872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 21, 2025, 9:02 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 21, 2025, 9:02 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW March 21, 2025, 9:02 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleA March 21, 2025, 9:02 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: . console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 21, 2025, 9:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (50 out of 484 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1385447420 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582664 process_handle: 0xffffffff		3221225496

Creates executable files on the filesystem (4 events)

file	C:\Users\All Users\neo.cmd
file	C:\Users\All Users\28467.cmd
file	C:\Users\test22\Links\bmfeyeaJ.pif
file	C:\Users\All Users\4596.cmd

Creates a suspicious process (1 event)

cmdline

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

Drops a binary and executes it (1 event)

file	C:\Users\Public\alpha.pif

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03521000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00109200', u'virtual_address': u'0x00075000', u'entropy': 6.84675472236307, u'name': u'.data', u'virtual_size': u'0x001091a4'}

entropy

6.84675472236

description

A section with a high entropy has been found

entropy

0.650413983441

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1 -n 10

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748576768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748575482 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Deletes executed files from disk (1 event)

file

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 manipulating memory of non-child process 3012
NtUnmapViewOfSection March 21, 2025, 9:02 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3012 process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748576768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748575482 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 called NtSetContextThread to modify thread in remote process 3012
NtSetContextThread March 21, 2025, 9:02 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 3012	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 3012
NtResumeThread March 21, 2025, 9:02 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 3012	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 2724 thread_handle: 0x000002a0 process_identifier: 2720 current_directory: filepath: track: 1 command_line: C:\\Users\\All Users\\4596.cmd filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 2780 thread_handle: 0x000002a0 process_identifier: 2776 current_directory: filepath: track: 1 command_line: C:\\Users\\All Users\\28467.cmd filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 3016 thread_handle: 0x000002a0 process_identifier: 3012 current_directory: filepath: track: 1 command_line: C:\\Users\\test22\\Links\bmfeyeaJ.pif filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread March 21, 2025, 9:02 a.m.	thread_handle: 0x000002a0	1	0
NtUnmapViewOfSection March 21, 2025, 9:02 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3012 process_handle: 0x000002a4	1	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748576768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
NtAllocateVirtualMemory March 21, 2025, 9:02 a.m.	process_identifier: 3012 region_size: 748575482 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
NtSetContextThread March 21, 2025, 9:02 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 3012	1	0
NtResumeThread March 21, 2025, 9:02 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 3012	1	0
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 2844 thread_handle: 0x00000084 process_identifier: 2840 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\esentutl.exe track: 1 command_line: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o filepath_r: C:\Windows\System32\esentutl.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW March 21, 2025, 9:02 a.m.	thread_identifier: 2876 thread_handle: 0x00000090 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 10 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
NtResumeThread March 21, 2025, 9:02 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2872	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ModiLoader.b!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Fareit.tc
ALYac	Gen:Variant.Jaik.282262
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.282262
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Variant.Cerbu.254856
K7GW	Trojan-Downloader ( 005a9dd21 )
K7AntiVirus	Trojan-Downloader ( 005a9dd21 )
Arcabit	Trojan.Cerbu.D3E388
VirIT	Trojan.Win32.Injector.DGE
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.AHI
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Trojan.Modiloader-10042434-0
Kaspersky	HEUR:Trojan-Dropper.Win32.Injector.gen
Alibaba	TrojanDropper:Win32/Injector.4f9f5328
MicroWorld-eScan	Gen:Variant.Cerbu.254856
Rising	Trojan.ModiLoader!1.127F9 (CLASSIC)
Emsisoft	Gen:Variant.Cerbu.254856 (B)
F-Secure	Heuristic.HEUR/AGEN.1376869
McAfeeD	ti!FA6EC12F3591
Trapmine	malicious.moderate.ml.score
CTX	exe.unknown.cerbu
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.17ffd8a0d8bf24a5
Google	Detected
Avira	HEUR/AGEN.1376869
Kingsoft	malware.kb.a.966
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Cerbu.254856
Varist	W32/ModiLoader.W.gen!Eldorado
AhnLab-V3	Trojan/Win.ModiLoader.C5742750
McAfee	Artemis!17FFD8A0D8BF
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan-Downloader.Win32.Modiloader
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	OB:Trojan-DL.Win32.Modiloader.16001687
huorong	TrojanDownloader/ModiLoader.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.ABE!tr
AVG	Win32:DropperX-gen [Drp]
alibabacloud	Trojan[dropper]:Win/ModiLoader.AJE

cvvs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All