Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2021, 3:25 p.m.	March 24, 2021, 3:26 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7fb4bc02c317b69c178833f4af693b75`
SHA256	`8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3`
CRC32	`49B42FD5`
ssdeep	`49152:61drDcvHXZaxVK3lNgDtn3EDe52c8aMex0g0JuvL4I2zvGAPReTCqg:adW3ZabUgDtt2c2hg0JufGvGA5rqg`
Yara	PE_Header_Zero - PE File Signature Zero escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
2444
- 5.exe "C:\Users\test22\AppData\Local\Temp\New Feature\5.exe"
  1160
- 4.exe "C:\Users\test22\AppData\Local\Temp\New Feature\4.exe"
  2252
- 6.exe "C:\Users\test22\AppData\Local\Temp\New Feature\6.exe"
  584
  - cmd.exe "C:\Windows\System32\cmd.exe" /c echo WWjSNMM
    1760
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Rimasta.aspx
    2976
    - cmd.exe cmd
      2216
      - findstr.exe findstr /V /R "^kBqFuWHryiPtDfiJvkiiDXYDRmkOIjdtnwDLTWTiPWEfZhhCcQLTxIkgCvNGKScTRKGBLvPAsZaGaJEEjJaRBvKQQfpbphvWBLngHLQZwkBcdFVSSpxwmDscqPLvhastCctHkfW$" Fino.aac
        2988
      - Metto.com Metto.com Confusa.wav
        808
        
        Metto.com C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com Confusa.wav
        492
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
        2780
        
        timeout.exe timeout 2
        2340
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
        2292
        
        timeout.exe timeout 2
        2908
      - PING.EXE ping 127.0.0.1 -n 30
        3032
- vpn.exe "C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe"
  2724
  - cmd.exe "C:\Windows\System32\cmd.exe" /c echo RzfYXJ
    260
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Conoscerla.wpd
    2356
    - cmd.exe cmd
      1912
      - findstr.exe findstr /V /R "^LFvycdHogwdsMEijFHCSQsbggCHrfhgGFxBASEMdhtGSxuaSlByjELYzooQSIDSwNKLsrHxwVkFMLFTolOTOiwwUviaKNTIJjEyKxqPCitszujICgIITJtTLIRVWgKhwDVAuApN$" Mantenga.eps
        2388
      - Uso.com Uso.com Mezzo.mp3
        2720
        
        Uso.com C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Uso.com Mezzo.mp3
        1816
      - PING.EXE ping 127.0.0.1 -n 30
        1852

Name	Response	Post-Analysis Lookup
rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT
iLzeDyTgvR.iLzeDyTgvR
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49223 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 24, 2021, 3:26 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2021, 3:25 p.m.			0	0
IsDebuggerPresent March 24, 2021, 3:25 p.m.			0	0
IsDebuggerPresent March 24, 2021, 3:25 p.m.			0	0
IsDebuggerPresent March 24, 2021, 3:25 p.m.			0	0

Command line console output was observed (50 out of 2592 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: WWjSNMM console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: RzfYXJ console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set unAPScB=M console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set wvUrbRxvKPINkUBmPSJNLpRgcPNsYTsejlcOnCruWcFqJNUEZfrDSCKSFGIIre=RbGBwnMwjOCQdDQEHUpaIQOpJmCpSUceUWOCejTyjgQOfMzgOwqOUJQqJbRCVDoazmVxPgCxwtuxZqUXygxQTGoluNTFcdpIyncPQZmmmGNPCcwJDTvHosnMsLhwxWYKVbgBEtiuO console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set shTzHKMleCUBmNqJntLnyCHeUyiAtnLdThqlSYrDflTvQzXBBVFexdPOGQnCDjyDQDIjNPQAwooVJ=jAiGYpTIWCnkEemAqetdFjLLNLtywkiUycEYcWhWKiHyOBlOqAoyQaEZOcSjtNHKcDypbAyrPiFnEGXjBdtAewrMQElqtqRXmXJlcqdA console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set ydINucibGLOIiHzmzzSdyYPfIYHWNQAZEtXLxZJpeCbfrgafdKeHbpduBzyoNl=QlOtrJItxJJhCAAjzGaGeOTCxNRlwTBvRRHtflgFHGIYOWNFwuLBcEIeskJfSneAihcLTcWpsMYvyUOnqkoUoZwhpFNtAZMpDiQBAeMFlBlIFjWvbkfGfiaokoBhHSJaZPTYtjYXmCKGPaIXJsGgKuUcPIfsAnYaSSIQ console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set XskhsiMbLzTAEDdkxITUbpvXGbqEaOXKREMZcwaZoXrfvRWVIubpOVVOVhGU=iyXcoIqRdQzfUMAuiAPByWkdNVVJYrixnSqSyThoVrsftUUpxHONRaqkTHIhNdTjIYQwMIqhjGFwEVkTqMgdfxCuROYnlq console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set ElyHyrSvMHAAkNZHXcPjqeDXgcKlXJCejkqQngyPofBIOUsaSiwecNxCHoaKzI=rtbhZMooIfqtLAUoxtssQHmHmQbpdWcvmQnEdGsFJYaNcIJwNZYFwdIcEQNpgZRMTDEUefSNNMHRfMjRivvsYQcooeZATodKuGTRrPZbulSgIQuRDWwSCAOeocMZfaUEcXLJScNav console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set lNYuAsWoWXuniGRQIHeqiOdhTLybZooJvDfwteVceicXbXPtRwMyfcRvvKjOkmoNObwDsQLFLHXZazQ=WqFXvrzqMSExQipDZIoqVkNqfizInRtrTfSkTksLtqRnjsOEnxqKlQwKhFHgJLCVOBAAfYJNdbWUxfOYaPprQxSrgoXgDeeanVJLQhfALjzNTufXQJWTBntxIbjiqxlgcDvnFeotAJaDqtpiSZnTuoRZRfezwomdetadKQaOARzRuAzDhygqWdijMvHdqPrs console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set wBWMT=3 console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set HJagOZSdVnyVTmxLXyEhoeOLOeHyZbRzIjzjYTnMEsxBJibKGQY=foTEVHmMaNdbHMhHuoNtGRJRHjeHEWnonltAaOddzMzQqWUXUQEnrUqbneXJESivgiZvHMgaRvKUnTQLayMOsqyElHwdQHLAEXBSXbfiBjGGpuYFkkdmyzygecjqLYBlKlfBsYNVPFhyzmxtIvyEskxlRjQC console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set gvDKvWZQbhjncKAuqVCwoafSWTnPtJtikKBoJxXDxhloSuVBTtRshBeW=KOCbpLOpyjKosvGYZGUiiZPXWWqRNUKHEeZFxylCvZNTkzBHkzhUoOZLYFAhLWclCrDfbqDUvsLikVMDxaGxGPnQehHPEXR console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set DDsiPjlkPznQeRmeSXSadwDMFNhpzOfnAkEIEFOooxFhsHOlOEWHtnpCZEBwYqRq=ZfQhQbhoKpVvdcXZrcPSIxeeeJqrMpoDEpsaXWYuInzghyIoEeVFeocFhNkublcAwaRutFwubIppqNPWqRnKgDAv console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set LtpLRIbrThVgCtZqPixYjFmYguGLLjnRcaaASxGZMyiATInMmJmcunBuEkbKeMsGPrSlMnoxB=jubZtGITjwNeLXQkWGXVXZNAKQPhqwAtTMjcIEuQeomdTMaVxABBbGbjaXggQxSkAJoYLxCsAuSOAbHYbUTAmZGjfZeLdSqIfgPlDzlZXlwsOILUddQWAaLBeWJLaRw console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set upnkIbxtKUCfXfnGhicZwtoXDhiHJnGyozlEpAjSWMkFPvENbrblvwGwwBIcfMxkgvuEt=vNVCrfSDiuIxlGwvJiNoDIRQDpsqdadqIDGJfUYdpbxBMVCNlSNZQVdOVtZTXSjOQILHZsiPovZyhftHHEQnFspMjSNlVyaskGLrpUOSLYQxWkAGqsjzeNommZxiEWUetIUHEqbMQYNHAOQwsilDTZgbbjElAGgOtNdhdTwZTmDtZBYKpzPvMdptzv console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set avhjpJZCMnCKnukKzclnWhTquRReNEkUUJJCFhxxqYjkHJsdAGQJoYh=DjyaSXPohHPPvItuwQnXwHzbABBiNCLWcEYaieBrprYZTCTRCJHaAdrVTHRscHxLWTzRJLYZgxOXIxEXHJFtUzvyBr console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set mllHBJheZoeiQKIryCyhmrUJLedRDbhfGjnOrNjhcsEPFBOzkfsDcQqvdAVnzvmC=MAEjUZafRRinttphWFgyKUQkenCRNUZSwUSwlisfZhDYTXkvMkvQlvlSKapcvABXSgvlkoePgYuvdSathuyCnoHEJqdSXVTnMGuEAqlDoGBjdNBRZtofcYnJGRAkRlRatIKJLODjWBxRGxgWmmSSNDeNibXJAZLXPpoHrRylBVzUEHekCELasYEBGWCg console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set ULWPvebjH=A console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set zHsRpooAxLuVhzFQEGwufQxGlvtiFEZVLtYJHNsbNwUtOPJvQkTGGMsChLHMrwUQMllpx=pRfDahWfSxNIdzLzfZMvvVyExMiraDFmwUeedezrFYThZcKBtzVlvYAhLKpFuSXgOhGvdJejFJQbeSFYeFYYHxrrxPdGTNWNwEnLPglcsJENoelTylDBUYGzlCwBaczSMrvnzTpOxDHYQfVaFbBIlcTeXyBjjJeVfMwyFLmkwPudsIDUHJWVUKHdlzBgaWB console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set ALIrgQMTXdHxgCLfBGFDNiqFtKUjlkSthcQFZAFQXeYErhwHIjMMsYXzKrYDVAIMbCuTLyd=qOFKovBRIhDYnyNfnvUVBeVbxjuAuoVCWLMCajlgBiUIWKhaPRcflxAYTodWfqLAsweNzlWkjGzxijAKYOL console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set NGsBkNJlWhYBvxsVHAYFVpeEquRGHGYBfvNKJACFAMfYHSXMVFenPuzDEM=tWrCdfbkZGHkuXatoUrXootLwDmLoepuWqbJbpYJpGXugxWAbwlJAPaWSsAMPMrXvAguAJHZVxNBlYvHHZgiRAFiHBRyIjTvDqJNuPqOxkNywQMUUTyQnWyWUinZRBsJAdYpgJBRZmMGM console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set yRPXlOurYHUNSYsqWTUtFKSCFkagQYpmpxwHlUdCDvadfBQCmYDTMIUxYjsZvRjZb=DnXJQwCaBoaChtxQOSxdNBmGJXCsyLpaSTXaEPiBdxuMevZhEGexEiIeYdqTnljQZZJzuekZLTZzxNEjXfNnIPNLlUxhOgeyidNeMGuCcrILifIlMNVpbNipkYokHXlbQ console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set ktqBAsolrFuwDVjpBwaTHzpDQNbUUnTkVhrElkhEqhKCrlchZbvotWjRUvKMTgfFLUufRIZfNOTx=GAGalVvwKiZwjJNBAKMXtQotycdnucdrRohWrxJaSDqNugFZkOhribEPaCjOFYVfQWlrcRbuwztAQxXRQdhaohVxDbEAiVNUILWltBEzdueNatZXFcXgKDiDqPAXhXYyFpSynMNgMUwwlowmnGVMYmlyDzlgwGyzoW console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set okUmSHIBPBuaSOwmHekiuZNByCnhuOIShqShEietfYxEbqsAqindWP=pbaxdpxxwShtRVNVmqiRoEpttlYhYfsWnZIQkNMVUDzLpVAEjjZdOXSFggfylivLAsGRhXJLgjWElbUpKx console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2021, 3:25 p.m.	buffer: Set MdwiAurBXnGLNiIkSfIsfCheCqgxQzucPuJxmlyLpcLhHBpbCj=TwrKprYEmSILEskVHbgMIpXiURZcwRQSEsjzMcmsAFGSBKiWvFCZhAzKtWQarDCIwPujyRpkYXkeDtGpJrYc console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2021, 3:25 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 24, 2021, 3:18 p.m.	stacktrace: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x76eea404 5+0x1c73 @ 0x13ff11c73 5+0x2682 @ 0x13ff12682 5+0x7556 @ 0x13ff17556 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65 exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 exception.instruction: push rsp exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 697348 exception.address: 0x76eea404 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 2740 registers.rbx: 0 registers.rsp: 1375680 registers.r11: 1370496 registers.r8: 31 registers.r9: 1790 registers.rdx: 2147483648 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/line

Allocates read-write-execute memory (usually to unpack itself) (49 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c73000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2252 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 172032 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04215000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04217000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04218000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0484b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04853000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04855000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:26 p.m.	process_identifier: 1816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04856000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 3:25 p.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 24, 2021, 3:25 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722124288 root_path: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW March 24, 2021, 3:25 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13720223744 root_path: C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz total_number_of_bytes: 0	1	1	0

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
file	C:\Users\test22\AppData\Local\Temp\New Feature\5.exe
file	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Uso.com
file	C:\Users\test22\AppData\Local\Temp\nsa63B5.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file	C:\Users\test22\AppData\Local\Temp\New Feature\6.exe

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline	"C:\Windows\System32\cmd.exe" /c cmd < Rimasta.aspx
cmdline	"C:\Windows\System32\cmd.exe" /c cmd < Conoscerla.wpd
cmdline	"C:\Windows\System32\cmd.exe" /c echo WWjSNMM
cmdline	"C:\Windows\System32\cmd.exe" /c echo RzfYXJ
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file	C:\Users\test22\AppData\Local\Temp\nsa63B5.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
file	C:\Users\test22\AppData\Local\Temp\New Feature\6.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 24, 2021, 3:25 p.m.	show_type: 0 filepath_r: cmd parameters: /c echo WWjSNMM filepath: cmd	1	1
ShellExecuteExW March 24, 2021, 3:25 p.m.	show_type: 0 filepath_r: cmd parameters: /c cmd < Rimasta.aspx filepath: cmd	1	1
ShellExecuteExW March 24, 2021, 3:25 p.m.	show_type: 0 filepath_r: cmd parameters: /c echo RzfYXJ filepath: cmd	1	1
ShellExecuteExW March 24, 2021, 3:25 p.m.	show_type: 0 filepath_r: cmd parameters: /c cmd < Conoscerla.wpd filepath: cmd	1	1
ShellExecuteExW March 24, 2021, 3:26 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW March 24, 2021, 3:26 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com" filepath: C:\Windows\System32\cmd.exe	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\ebhuvpvbacx & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline	ping 127.0.0.1 -n 30

Attempts to identify installed AV products by installation directory (3 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG
file	C:\ProgramData\Avg

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 808
Process injection	Process 1912 resumed a thread in remote process 2720
NtResumeThread March 24, 2021, 3:25 p.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 808	1	0	0
NtResumeThread March 24, 2021, 3:25 p.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 2720	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 24, 2021, 3:18 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36458209
FireEye	Generic.mg.7fb4bc02c317b69c
McAfee	Artemis!7FB4BC02C317
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanDownloader:Win32/Azorult.a551f6ed
K7GW	Trojan ( 00578ae71 )
K7AntiVirus	Trojan ( 00578ae71 )
Arcabit	Trojan.Generic.D22C4EE1
BitDefenderTheta	Gen:NN.ZexaF.34628.uC0@aGwvgPmG
Cyren	W64/Trojan.IVFW-2360
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win64:CoinminerX-gen [Trj]
ClamAV	Win.Malware.Generickdz-9839111-0
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
BitDefender	Trojan.GenericKD.36458209
NANO-Antivirus	Trojan.Win32.Zenpak.inyapu
Paloalto	generic.ml
Rising	Trojan.HiddenRun/SFX!1.D2BC (CLASSIC:bWQ1Ooo1Lsmmo2n7XW11ElVPnQ8)
Ad-Aware	Trojan.GenericKD.36458209
Emsisoft	Trojan.Packed (A)
Comodo	Malware@#3g61cawceql3v
DrWeb	Trojan.DownLoader37.2799
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.SPROTECTOR.USMANC321
McAfee-GW-Edition	BehavesLike.Win32.Dropper.vc
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win64.Agent
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1140895
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Packed.ns
Microsoft	Trojan:Win32/Azorult.NB!MTB
ViRobot	Trojan.Win32.Z.Zenpak.2646570
GData	Win32.Application.iObit.B
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win32.Coinstealer.R370372
VBA32	BScope.Backdoor.Mokes
ALYac	Trojan.GenericKD.36458209
MAX	malware (ai score=100)
Malwarebytes	Malware.AI.4270139457
ESET-NOD32	multiple detections
TrendMicro-HouseCall	TrojanSpy.Win32.SPROTECTOR.USMANC321
Tencent	Win32.Trojan.Zenpak.Ammm
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_56%
Fortinet	Riskware/Zenpak

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All