popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Sep.exe

OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 21, 2021, 11 a.m. May 21, 2021, 11:07 a.m.
Size 269.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 cfef44177015e086c53b9a45b803e1fd
SHA256 c65f65aa8282bab5e5430778b3f8c82fb6a1119a5737a098aab11ed7bcf72409
CRC32 A9F41F9F
ssdeep 6144:tQqk01nmDIqpV5LBZJveaCzlH8KQALPsL2lJbZJ:BwdpVZJ/CzPQAA2ltZJ
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
139.155.178.173 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49202 -> 139.155.178.173:888 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 139.155.178.173:888 -> 192.168.56.101:49202 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 139.155.178.173:888 -> 192.168.56.101:49202 2020500 ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) Exploit Kit Activity Detected
TCP 139.155.178.173:888 -> 192.168.56.101:49202 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 139.155.178.173:888 -> 192.168.56.101:49202 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.101:49201 -> 139.155.178.173:19060 2013214 ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.155.178.173:19060 2016922 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.155.178.173:19060 2021716 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 Malware Command and Control Activity Detected
TCP 192.168.56.101:49257 -> 139.155.178.173:19060 2013214 ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server Malware Command and Control Activity Detected
TCP 192.168.56.101:49257 -> 139.155.178.173:19060 2016922 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic Malware Command and Control Activity Detected
TCP 192.168.56.101:49257 -> 139.155.178.173:19060 2021716 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 Malware Command and Control Activity Detected
TCP 192.168.56.101:49307 -> 139.155.178.173:19060 2013214 ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server Malware Command and Control Activity Detected
TCP 192.168.56.101:49307 -> 139.155.178.173:19060 2016922 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic Malware Command and Control Activity Detected
TCP 192.168.56.101:49307 -> 139.155.178.173:19060 2021716 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 Malware Command and Control Activity Detected
TCP 192.168.56.101:49357 -> 139.155.178.173:19060 2013214 ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server Malware Command and Control Activity Detected
TCP 192.168.56.101:49357 -> 139.155.178.173:19060 2016922 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic Malware Command and Control Activity Detected
TCP 192.168.56.101:49357 -> 139.155.178.173:19060 2021716 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 139.155.178.173:888 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Host+0x14c @ 0x10002bfc

exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec
exception.exception_code: 0xc000001d
exception.symbol: Host-0x1307
exception.address: 0x100017a9
registers.esp: 1637528
registers.edi: 0
registers.eax: 1
registers.ebp: 1637580
registers.edx: 2130566132
registers.ebx: 0
registers.esi: 1970484437
registers.ecx: 2264
1 0 0

__exception__

 stacktrace: 
Host+0x155 @ 0x10002c05

exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: Host-0x1268
exception.address: 0x10001848
registers.esp: 1637528
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637580
registers.edx: 22104
registers.ebx: 0
registers.esi: 1970484437
registers.ecx: 10
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73721000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
3221225713 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 155648
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100fa000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10120000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 942080
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 217088
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100e7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728e4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72622000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x765b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75431000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e91000
process_handle: 0xffffffff
1 0 0
description Ser.exe tried to sleep 255 seconds, actually delayed analysis time by 255 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13714546688
free_bytes_available: 13714546688
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13715021824
free_bytes_available: 13715021824
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Windows\Temp\Ser.exe
file C:\Windows\Temp\Cacrk.exe
file C:\Program Files\Cacrk\Cacrk.dll
file C:\Windows\Temp\8908.exe
file C:\Windows\Temp\Sel.exe
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: Internet Connection Sharing (ICS)
filepath: C:\Program Files (x86)\Arrange\NULL.jpg
service_name: SharedAccess
filepath_r: C:\Program Files (x86)\Arrange\NULL.jpg
desired_access: 983551
service_handle: 0x00000000
error_control: 0
service_type: 272
service_manager_handle: 0x002fccc0
0 0
file C:\Windows\Temp\Cacrk.exe
file C:\Windows\Temp\Ser.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000110
process_name: taskhost.exe
process_identifier: 2412
1 1 0

Process32NextW

 snapshot_handle: 0x00000110
process_name: Ser.exe
process_identifier: 2244
1 1 0

Process32NextW

 snapshot_handle: 0x00000110
process_name: Sel.exe
process_identifier: 1444
1 1 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 2248
1 1 0

Process32NextW

 snapshot_handle: 0x000023b4
process_name: cmd.exe
process_identifier: 2668
1 1 0

Process32NextW

 snapshot_handle: 0x000023b8
process_name: conhost.exe
process_identifier: 1788
1 1 0

Process32NextW

 snapshot_handle: 0x00004448
process_name: cmd.exe
process_identifier: 2780
1 1 0

Process32NextW

 snapshot_handle: 0x00004448
process_name: conhost.exe
process_identifier: 932
1 1 0

Process32NextW

 snapshot_handle: 0x000051f4
process_name: cmd.exe
process_identifier: 2544
1 1 0

Process32NextW

 snapshot_handle: 0x000051fc
process_name: conhost.exe
process_identifier: 2968
1 1 0

Process32NextW

 snapshot_handle: 0x00005f78
process_name: cmd.exe
process_identifier: 1632
1 1 0

Process32NextW

 snapshot_handle: 0x00006c8c
process_name: cmd.exe
process_identifier: 3056
1 1 0

Process32NextW

 snapshot_handle: 0x00006c94
process_name: conhost.exe
process_identifier: 772
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 434176
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ*²î ²‹ò.²$î ²>È*²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²‹æ}² î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PELrNŠ`à ` ÀBz_p @P˜|K, Oh_p T.textâS `  `.rdataR3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: Processú¦Ï©ÅŽoïɎ[©Á~¿‰ÍfC±NtZwuser32.dllgdi32.dll  ÷ח_‰ÒÖ¯ŸÆfC™Á¾/ÎŸCÃ6G¥ÏWçÅïɎ[©Á~¿‰ÍfC±@ã­ðŽ7«Å[ïɎ[©Á~¿‰ÍfC±D@#\EŒAPŒA×fAgA jAirAýrAóuAÎxA%yA‚yAA{A߁A†A ‰A“‹AŒA‚¾A¸¾AèŒA@ŽA'AAg‘A»’A”Aæ”A½•Aˆ—Aû˜A0šA"›AœAݜA¹AŠžA|ŸAn A`¡AR¢AD£A:¤A¥Aæ¥AܦA)¨A©Aò©A¯Aà¯A¹°A±Ar²AM³A>¶Al·A“¸AºAöºAÑ»A³¼A—½AöB÷B?¿A¨ßAÐéAÛøAÒBu5Bí5BB®BÝB BBªBeB5B}%B ;B;B¨8B€@À?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $y̳Þ=­Ý=­Ý=­Ý¾±Ó­Ý ‹×„­Ý ‹Ök­ÝF±Ñ>­Ýk²Î­Ý_²Î(­Ý=­Ür¯ÝÕ²Öw­ÝÕ²×$­Ý=­Ý"­Ýú«Û<­ÝÂÙ<­ÝRich=­ÝPEL€w ^à! ð @Û Q ‰°J €tˆ|ðˆ}
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000168
process_name: Sel.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 4456552
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7536758
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 4390992
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name:
process_identifier: 5439572
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6553715
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 5046338
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6619246
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6750273
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7471220
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7733331
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 4980808
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6619251
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 7864421
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 3342387
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 3014722
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name:
process_identifier: 7733362
0 0

Process32NextW

 snapshot_handle: 0x000003a8
process_name: 8908.exe
process_identifier: 6553705
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7602224
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7536688
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 3014768
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7274573
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 5046390
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6815859
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6881397
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7602277
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6619235
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 4456552
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7536758
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6684769
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 4390992
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name:
process_identifier: 5439572
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6553715
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 5046338
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6619246
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 6750273
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7471220
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 7733331
0 0

Process32NextW

 snapshot_handle: 0x0000032c
process_name: 8908.exe
process_identifier: 4980808
0 0
host 139.155.178.173
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX5B07E7D0 reg_value C:\Windows\XXXXXX5B07E7D0\svchsot.exe
service_name SharedAccess service_path C:\Program Files (x86)\Arrange\NULL.jpg
process ser.exe
process sel.exe
process: potential process injection target explorer.exe
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Host+0x155 @ 0x10002c05

exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: Host-0x1268
exception.address: 0x10001848
registers.esp: 1637528
registers.edi: 0
registers.eax: 1447909480
registers.ebp: 1637580
registers.edx: 22104
registers.ebx: 0
registers.esi: 1970484437
registers.ecx: 10
1 0 0
mutex AAAAAArrCmva6ysr2utKe9rrSwqa6mr7Wvnw==
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader19.23899
MicroWorld-eScan MemScan:Trojan.GenericKDZ.41799
CAT-QuickHeal Trojan.Magania.18692
McAfee Artemis!CFEF44177015
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 0055e3da1 )
Alibaba Backdoor:Win32/Farfli.79fa6e7c
K7GW Trojan-Downloader ( 0055e3da1 )
Cybereason malicious.77015e
BitDefenderTheta Gen:NN.ZexaF.34690.cq0@aap0jngb
Cyren W32/Trojan.ZPWE-6472
Symantec Backdoor.Trojan
ESET-NOD32 multiple detections
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Trojan.Farfli-9811912-0
Kaspersky Backdoor.Win32.Farfli.bsjq
BitDefender MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus Trojan.Win32.Dwn.eahibw
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Farfli.276049
Tencent Win32.Trojan.Obfuscator.Tejn
Ad-Aware MemScan:Trojan.GenericKDZ.41799
Sophos Mal/Generic-R
Comodo TrojWare.Win32.Agent.PDSB@4q3i1w
Baidu Win32.Trojan.Dialer.d
TrendMicro BKDR_ZEGOST.SM50
McAfee-GW-Edition BackDoor-EMA.gen.e
FireEye MemScan:Trojan.GenericKDZ.41799
Emsisoft MemScan:Trojan.GenericKDZ.41799 (B)
Jiangmin Trojan/Dialer.mgr
Avira HEUR/AGEN.1124319
MAX malware (ai score=85)
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Dorv.A
AegisLab Trojan.Win32.Farfli.m!c
ZoneAlarm HEUR:Trojan.Win32.Farfli.gen
GData Win32.Trojan-Downloader.Agent.WC
Cynet Malicious (score: 99)
AhnLab-V3 Trojan/Win.Generic.C4430134
VBA32 BScope.Trojan.Downloader
Malwarebytes Malware.AI.3771281797
Zoner Trojan.Win32.22067
TrendMicro-HouseCall BKDR_ZEGOST.SM50
Rising Trojan.Win32.Lebag.b (CLOUD)
Yandex Trojan.GenAsa!puNbw774luA
Ikarus Trojan-Downloader.Win32.Agent