popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

lv.exe

Malicious Library
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 24, 2021, 5:10 p.m. March 24, 2021, 5:11 p.m.
Size 2.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7fb4bc02c317b69c178833f4af693b75
SHA256 8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CRC32 49B42FD5
ssdeep 49152:61drDcvHXZaxVK3lNgDtn3EDe52c8aMex0g0JuvL4I2zvGAPReTCqg:adW3ZabUgDtt2c2hg0JufGvGA5rqg
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
rgRZxLIUbSUAgHDjT.rgRZxLIUbSUAgHDjT
iLzeDyTgvR.iLzeDyTgvR
ip-api.com
A 208.95.112.1
208.95.112.1
IP Address Status Action
164.124.101.2 Active Moloch
208.95.112.1 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49225 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: WWjSNMM
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: RzfYXJ
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set unAPScB=M
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set wvUrbRxvKPINkUBmPSJNLpRgcPNsYTsejlcOnCruWcFqJNUEZfrDSCKSFGIIre=RbGBwnMwjOCQdDQEHUpaIQOpJmCpSUceUWOCejTyjgQOfMzgOwqOUJQqJbRCVDoazmVxPgCxwtuxZqUXygxQTGoluNTFcdpIyncPQZmmmGNPCcwJDTvHosnMsLhwxWYKVbgBEtiuO
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set shTzHKMleCUBmNqJntLnyCHeUyiAtnLdThqlSYrDflTvQzXBBVFexdPOGQnCDjyDQDIjNPQAwooVJ=jAiGYpTIWCnkEemAqetdFjLLNLtywkiUycEYcWhWKiHyOBlOqAoyQaEZOcSjtNHKcDypbAyrPiFnEGXjBdtAewrMQElqtqRXmXJlcqdA
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set ydINucibGLOIiHzmzzSdyYPfIYHWNQAZEtXLxZJpeCbfrgafdKeHbpduBzyoNl=QlOtrJItxJJhCAAjzGaGeOTCxNRlwTBvRRHtflgFHGIYOWNFwuLBcEIeskJfSneAihcLTcWpsMYvyUOnqkoUoZwhpFNtAZMpDiQBAeMFlBlIFjWvbkfGfiaokoBhHSJaZPTYtjYXmCKGPaIXJsGgKuUcPIfsAnYaSSIQ
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set XskhsiMbLzTAEDdkxITUbpvXGbqEaOXKREMZcwaZoXrfvRWVIubpOVVOVhGU=iyXcoIqRdQzfUMAuiAPByWkdNVVJYrixnSqSyThoVrsftUUpxHONRaqkTHIhNdTjIYQwMIqhjGFwEVkTqMgdfxCuROYnlq
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set ElyHyrSvMHAAkNZHXcPjqeDXgcKlXJCejkqQngyPofBIOUsaSiwecNxCHoaKzI=rtbhZMooIfqtLAUoxtssQHmHmQbpdWcvmQnEdGsFJYaNcIJwNZYFwdIcEQNpgZRMTDEUefSNNMHRfMjRivvsYQcooeZATodKuGTRrPZbulSgIQuRDWwSCAOeocMZfaUEcXLJScNav
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set lNYuAsWoWXuniGRQIHeqiOdhTLybZooJvDfwteVceicXbXPtRwMyfcRvvKjOkmoNObwDsQLFLHXZazQ=WqFXvrzqMSExQipDZIoqVkNqfizInRtrTfSkTksLtqRnjsOEnxqKlQwKhFHgJLCVOBAAfYJNdbWUxfOYaPprQxSrgoXgDeeanVJLQhfALjzNTufXQJWTBntxIbjiqxlgcDvnFeotAJaDqtpiSZnTuoRZRfezwomdetadKQaOARzRuAzDhygqWdijMvHdqPrs
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set wBWMT=3
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set HJagOZSdVnyVTmxLXyEhoeOLOeHyZbRzIjzjYTnMEsxBJibKGQY=foTEVHmMaNdbHMhHuoNtGRJRHjeHEWnonltAaOddzMzQqWUXUQEnrUqbneXJESivgiZvHMgaRvKUnTQLayMOsqyElHwdQHLAEXBSXbfiBjGGpuYFkkdmyzygecjqLYBlKlfBsYNVPFhyzmxtIvyEskxlRjQC
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set gvDKvWZQbhjncKAuqVCwoafSWTnPtJtikKBoJxXDxhloSuVBTtRshBeW=KOCbpLOpyjKosvGYZGUiiZPXWWqRNUKHEeZFxylCvZNTkzBHkzhUoOZLYFAhLWclCrDfbqDUvsLikVMDxaGxGPnQehHPEXR
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set DDsiPjlkPznQeRmeSXSadwDMFNhpzOfnAkEIEFOooxFhsHOlOEWHtnpCZEBwYqRq=ZfQhQbhoKpVvdcXZrcPSIxeeeJqrMpoDEpsaXWYuInzghyIoEeVFeocFhNkublcAwaRutFwubIppqNPWqRnKgDAv
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set LtpLRIbrThVgCtZqPixYjFmYguGLLjnRcaaASxGZMyiATInMmJmcunBuEkbKeMsGPrSlMnoxB=jubZtGITjwNeLXQkWGXVXZNAKQPhqwAtTMjcIEuQeomdTMaVxABBbGbjaXggQxSkAJoYLxCsAuSOAbHYbUTAmZGjfZeLdSqIfgPlDzlZXlwsOILUddQWAaLBeWJLaRw
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set upnkIbxtKUCfXfnGhicZwtoXDhiHJnGyozlEpAjSWMkFPvENbrblvwGwwBIcfMxkgvuEt=vNVCrfSDiuIxlGwvJiNoDIRQDpsqdadqIDGJfUYdpbxBMVCNlSNZQVdOVtZTXSjOQILHZsiPovZyhftHHEQnFspMjSNlVyaskGLrpUOSLYQxWkAGqsjzeNommZxiEWUetIUHEqbMQYNHAOQwsilDTZgbbjElAGgOtNdhdTwZTmDtZBYKpzPvMdptzv
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set avhjpJZCMnCKnukKzclnWhTquRReNEkUUJJCFhxxqYjkHJsdAGQJoYh=DjyaSXPohHPPvItuwQnXwHzbABBiNCLWcEYaieBrprYZTCTRCJHaAdrVTHRscHxLWTzRJLYZgxOXIxEXHJFtUzvyBr
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set mllHBJheZoeiQKIryCyhmrUJLedRDbhfGjnOrNjhcsEPFBOzkfsDcQqvdAVnzvmC=MAEjUZafRRinttphWFgyKUQkenCRNUZSwUSwlisfZhDYTXkvMkvQlvlSKapcvABXSgvlkoePgYuvdSathuyCnoHEJqdSXVTnMGuEAqlDoGBjdNBRZtofcYnJGRAkRlRatIKJLODjWBxRGxgWmmSSNDeNibXJAZLXPpoHrRylBVzUEHekCELasYEBGWCg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set ULWPvebjH=A
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set zHsRpooAxLuVhzFQEGwufQxGlvtiFEZVLtYJHNsbNwUtOPJvQkTGGMsChLHMrwUQMllpx=pRfDahWfSxNIdzLzfZMvvVyExMiraDFmwUeedezrFYThZcKBtzVlvYAhLKpFuSXgOhGvdJejFJQbeSFYeFYYHxrrxPdGTNWNwEnLPglcsJENoelTylDBUYGzlCwBaczSMrvnzTpOxDHYQfVaFbBIlcTeXyBjjJeVfMwyFLmkwPudsIDUHJWVUKHdlzBgaWB
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set ALIrgQMTXdHxgCLfBGFDNiqFtKUjlkSthcQFZAFQXeYErhwHIjMMsYXzKrYDVAIMbCuTLyd=qOFKovBRIhDYnyNfnvUVBeVbxjuAuoVCWLMCajlgBiUIWKhaPRcflxAYTodWfqLAsweNzlWkjGzxijAKYOL
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set NGsBkNJlWhYBvxsVHAYFVpeEquRGHGYBfvNKJACFAMfYHSXMVFenPuzDEM=tWrCdfbkZGHkuXatoUrXootLwDmLoepuWqbJbpYJpGXugxWAbwlJAPaWSsAMPMrXvAguAJHZVxNBlYvHHZgiRAFiHBRyIjTvDqJNuPqOxkNywQMUUTyQnWyWUinZRBsJAdYpgJBRZmMGM
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set yRPXlOurYHUNSYsqWTUtFKSCFkagQYpmpxwHlUdCDvadfBQCmYDTMIUxYjsZvRjZb=DnXJQwCaBoaChtxQOSxdNBmGJXCsyLpaSTXaEPiBdxuMevZhEGexEiIeYdqTnljQZZJzuekZLTZzxNEjXfNnIPNLlUxhOgeyidNeMGuCcrILifIlMNVpbNipkYokHXlbQ
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set ktqBAsolrFuwDVjpBwaTHzpDQNbUUnTkVhrElkhEqhKCrlchZbvotWjRUvKMTgfFLUufRIZfNOTx=GAGalVvwKiZwjJNBAKMXtQotycdnucdrRohWrxJaSDqNugFZkOhribEPaCjOFYVfQWlrcRbuwztAQxXRQdhaohVxDbEAiVNUILWltBEzdueNatZXFcXgKDiDqPAXhXYyFpSynMNgMUwwlowmnGVMYmlyDzlgwGyzoW
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set okUmSHIBPBuaSOwmHekiuZNByCnhuOIShqShEietfYxEbqsAqindWP=pbaxdpxxwShtRVNVmqiRoEpttlYhYfsWnZIQkNMVUDzLpVAEjjZdOXSFggfylivLAsGRhXJLgjWElbUpKx
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set MdwiAurBXnGLNiIkSfIsfCheCqgxQzucPuJxmlyLpcLhHBpbCj=TwrKprYEmSILEskVHbgMIpXiURZcwRQSEsjzMcmsAFGSBKiWvFCZhAzKtWQarDCIwPujyRpkYXkeDtGpJrYc
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x76eea404
5+0x1c73 @ 0x13f301c73
5+0x2682 @ 0x13f302682
5+0x7556 @ 0x13f307556
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65
exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404
exception.instruction: push rsp
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 697348
exception.address: 0x76eea404
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 2740
registers.rbx: 0
registers.rsp: 2948368
registers.r11: 2943184
registers.r8: 31
registers.r9: 1790
registers.rdx: 2147483648
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
1 0 0
request GET http://ip-api.com/line
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73761000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72754000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72792000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f3000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2236
region_size: 155648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72701000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72701000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1512
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 172032
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03dc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03deb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03df5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03df7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03df8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73764000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 106496
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048eb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048f5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048f6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13723500544
root_path: C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13721600000
root_path: C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz
total_number_of_bytes: 0
1 1 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
file C:\Users\test22\AppData\Local\Temp\New Feature\5.exe
file C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Uso.com
file C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file C:\Users\test22\AppData\Local\Temp\nsp6386.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file C:\Users\test22\AppData\Local\Temp\New Feature\6.exe
cmdline C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline "C:\Windows\System32\cmd.exe" /c cmd < Rimasta.aspx
cmdline "C:\Windows\System32\cmd.exe" /c cmd < Conoscerla.wpd
cmdline "C:\Windows\System32\cmd.exe" /c echo WWjSNMM
cmdline "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline "C:\Windows\System32\cmd.exe" /c echo RzfYXJ
file C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
file C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file C:\Users\test22\AppData\Local\Temp\nsp6386.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
file C:\Users\test22\AppData\Local\Temp\New Feature\6.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c echo WWjSNMM
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c cmd < Rimasta.aspx
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c echo RzfYXJ
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c cmd < Conoscerla.wpd
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
filepath: C:\Windows\System32\cmd.exe
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over Toredo network rule network_toredo
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
cmdline C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\mrrckbjj & timeout 2 & del /f /q "C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com"
cmdline ping 127.0.0.1 -n 30
file C:\ProgramData\AVAST Software
file C:\ProgramData\AVG
file C:\ProgramData\Avg
Process injection Process 2416 resumed a thread in remote process 2564
Process injection Process 2724 resumed a thread in remote process 2680
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000134
suspend_count: 0
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x00000134
suspend_count: 0
process_identifier: 2680
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
-1073741789 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.36458209
FireEye Generic.mg.7fb4bc02c317b69c
McAfee Artemis!7FB4BC02C317
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanDownloader:Win32/Azorult.a551f6ed
K7GW Trojan ( 00578ae71 )
K7AntiVirus Trojan ( 00578ae71 )
Arcabit Trojan.Generic.D22C4EE1
BitDefenderTheta Gen:NN.ZexaF.34628.uC0@aGwvgPmG
Cyren W64/Trojan.IVFW-2360
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win64:CoinminerX-gen [Trj]
ClamAV Win.Malware.Generickdz-9839111-0
Kaspersky HEUR:Trojan.Win32.Zenpak.gen
BitDefender Trojan.GenericKD.36458209
NANO-Antivirus Trojan.Win32.Zenpak.inyapu
Paloalto generic.ml
Rising Trojan.HiddenRun/SFX!1.D2BC (CLASSIC:bWQ1Ooo1Lsmmo2n7XW11ElVPnQ8)
Ad-Aware Trojan.GenericKD.36458209
Emsisoft Trojan.Packed (A)
Comodo Malware@#3g61cawceql3v
DrWeb Trojan.DownLoader37.2799
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.SPROTECTOR.USMANC321
McAfee-GW-Edition BehavesLike.Win32.Dropper.vc
Sophos Mal/Generic-S
Ikarus Trojan-Downloader.Win64.Agent
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1140895
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Packed.ns
Microsoft Trojan:Win32/Azorult.NB!MTB
ViRobot Trojan.Win32.Z.Zenpak.2646570
GData Win32.Application.iObit.B
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Coinstealer.R370372
VBA32 BScope.Backdoor.Mokes
ALYac Trojan.GenericKD.36458209
MAX malware (ai score=100)
Malwarebytes Malware.AI.4270139457
ESET-NOD32 multiple detections
TrendMicro-HouseCall TrojanSpy.Win32.SPROTECTOR.USMANC321
Tencent Win32.Trojan.Zenpak.Ammm
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_56%
Fortinet Riskware/Zenpak