popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

calc.txt

AsyncRAT AgentTesla info stealer browser email stealer Google Chrome User Data ScreenShot PWS KeyLogger DNS Socket AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 3, 2021, 4:46 p.m. May 3, 2021, 4:54 p.m.
Size 631.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 59e1199f32a8f13b0efbdd092b02b165
SHA256 9133c16f469cf207152a1a8b2d8f0c59533d2f632b17828973c6a6a37b31fa97
CRC32 8F2EAA9C
ssdeep 12288:qD9VXrz9M0mo86HiBADJuSxRvi1W8rLZ2xYhdUezVfyo8jys:qX7zx2VIez5yLj
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.google.com
A 216.58.220.196
172.217.31.132
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
216.58.220.196 Active Moloch
79.134.225.52 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49806 -> 216.58.220.196:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49808 -> 204.79.197.200:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49806
216.58.220.196:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com f0:48:7a:59:65:34:33:f8:a1:92:c6:c4:fb:9a:cc:c5:ad:0c:b3:e2
TLSv1
192.168.56.102:49808
204.79.197.200:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=www.bing.com 29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825360
registers.esi: 38825816
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825404
registers.esi: 38851356
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825448
registers.esi: 38858600
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825492
registers.esi: 38865836
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825536
registers.esi: 38873096
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825580
registers.esi: 38880340
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825624
registers.esi: 38887576
registers.ecx: 1857965358
1 0 0

__exception__

 stacktrace: 
0x8a2816
0x8a2527
0x8a2052
0x8a015f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 07
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8a3458
registers.esp: 1568284
registers.edi: 38826520
registers.eax: 0
registers.ebp: 1568368
registers.edx: 0
registers.ebx: 38825668
registers.esi: 38894812
registers.ecx: 1857965358
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://www.google.com/
suspicious_features GET method with no useragent header suspicious_request GET https://www.bing.com/
request GET https://www.google.com/
request GET https://www.bing.com/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ad0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00382000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ae0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x055e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008ae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008af000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 15872
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05480400
process_handle: 0xffffffff
3221225550 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05d55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05480178
process_handle: 0xffffffff
3221225550 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 172.217.25.14
host 79.134.225.52
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8400
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000688
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 8400
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000688
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description calc.txt tried to sleep 10912700 seconds, actually delayed analysis time by 10912700 seconds
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x000b0000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x000da000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x000e2000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x000e5000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x7efde008
process_identifier: 8400
process_handle: 0x00000688
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x000b0000
process_identifier: 8400
process_handle: 0x00000688
1 1 0
Elastic malicious (high confidence)
FireEye Generic.mg.59e1199f32a8f13b
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.AARZ
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
McAfee-GW-Edition BehavesLike.Win32.Generic.jh
Sophos ML/PE-A
SentinelOne Static AI - Malicious PE
Microsoft Trojan:Win32/Wacatac.B!ml
BitDefenderTheta Gen:NN.ZemsilF.34686.Nm0@a8CNLpd
Malwarebytes MachineLearning/Anomalous.94%
Ikarus Trojan.Inject
Fortinet MSIL/Kryptik.AANB!tr
AVG Win32:MalwareX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)
Process injection Process 8768 called NtSetContextThread to modify thread in remote process 8400
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000684
process_identifier: 8400
1 0 0
file C:\Users\test22\AppData\Local\Temp\calc.txt\:Zone.Identifier
Process injection Process 8768 resumed a thread in remote process 8400
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000684
suspend_count: 1
process_identifier: 8400
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000348
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000600
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000628
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 8768
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x0000066c
suspend_count: 1
process_identifier: 8768
1 0 0

NtResumeThread

 thread_handle: 0x00000680
suspend_count: 1
process_identifier: 8768
1 0 0

CreateProcessInternalW

 thread_identifier: 9132
thread_handle: 0x00000684
process_identifier: 8400
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000688
1 1 0

NtGetContextThread

 thread_handle: 0x00000684
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8400
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000688
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 8400
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000688
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x000b0000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000b1000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000d3000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x000da000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x000e2000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000e3000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x000e5000
process_identifier: 8400
process_handle: 0x00000688
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x7efde008
process_identifier: 8400
process_handle: 0x00000688
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000684
process_identifier: 8400
1 0 0

NtResumeThread

 thread_handle: 0x00000684
suspend_count: 1
process_identifier: 8400
1 0 0