popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Pb3Setp.exe

AsyncRAT PWS AntiDebug BitCoin PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 4, 2021, 11:30 a.m. June 4, 2021, 11:36 a.m.
Size 150.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 192157321ae17032b5edee8de07e0e86
SHA256 445d39df326616cbfd206707370348697ee1ad8ffb5ce1edc330afe9bf49266e
CRC32 BC59B936
ssdeep 1536:Ee1mvzKcEsVVVgYPrs0u4YnhQa7TIGwXoHtabpihRHEnLayET7L+A:EP7KcEsVpPI4wJIB4AWRH0Q7L3
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
topnewsdesign.xyz
A 172.67.206.72
A 104.21.69.75
104.21.69.75
iplogger.org
A 88.99.66.31
88.99.66.31
brershrowal.xyz
A 45.93.6.203
45.93.6.203
IP Address Status Action
104.21.69.75 Active Moloch
164.124.101.2 Active Moloch
45.93.6.203 Active Moloch
88.99.66.31 Active Moloch
194.5.98.144 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49201 -> 104.21.69.75:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49207 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49208 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49201
104.21.69.75:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 32:77:2f:72:40:14:df:f9:54:c4:0a:62:8b:04:f6:02:09:b6:56:05
TLSv1
192.168.56.101:49207
88.99.66.31:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.iplogger.org 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1
192.168.56.101:49208
88.99.66.31:443 		None None None

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00513888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00513888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00513888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e7d30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e7d30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e7d70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
getJit+0x6183 clrjit+0x5aa9b @ 0x73d1aa9b
sxsJitStartup-0x4b209 clrjit+0x968b @ 0x73cc968b
sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x73cf8e8b
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73cc8848
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x73cc89ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73cc8848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x73cc93dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x73cc951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x73cc71e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x73cc401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73cc4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73cc4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73cc4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x72563669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x72563701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x72563743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x7256399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x72563496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x725640db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7254bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72532ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72542e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x726ca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x725f7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72681dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72681e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72681f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7268416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73d3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x2345678
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1567060
registers.edi: 69914424
registers.eax: 1567060
registers.ebp: 1567140
registers.edx: 0
registers.ebx: 0
registers.esi: 32243728
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
getJit+0x6183 clrjit+0x5aa9b @ 0x73d1aa9b
sxsJitStartup-0x4b209 clrjit+0x968b @ 0x73cc968b
sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x73cf8e8b
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73cc8848
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x73cc89ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73cc8848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x73cc93dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x73cc951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x73cc71e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x73cc401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73cc4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73cc4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73cc4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x72563669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x72563701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x72563743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x7256399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x72563496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x725640db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7254bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72532ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72532652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7254264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72542e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x726ca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x725f7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72681dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72681e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72681f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7268416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73d3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x2345678
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1567060
registers.edi: 34054840
registers.eax: 1567060
registers.ebp: 1567140
registers.edx: 0
registers.ebx: 0
registers.esi: 32243728
registers.ecx: 1
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_1
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_2
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_3
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_4
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_5
suspicious_features GET method with no useragent header suspicious_request GET https://topnewsdesign.xyz/?user=pb3_6
suspicious_features GET method with no useragent header suspicious_request GET https://iplogger.org/1vjFz7
request GET https://topnewsdesign.xyz/?user=pb3_1
request GET https://topnewsdesign.xyz/?user=pb3_2
request GET https://topnewsdesign.xyz/?user=pb3_3
request GET https://topnewsdesign.xyz/?user=pb3_4
request GET https://topnewsdesign.xyz/?user=pb3_5
request GET https://topnewsdesign.xyz/?user=pb3_6
request GET https://iplogger.org/1jE3z7
request GET https://iplogger.org/1vjFz7
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000690000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1321000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef19bb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a30000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91ca1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91ca2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c2c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c56000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2948
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f82000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000f8d000
process_handle: 0xffffffffffffffff
1 0 0
description Pb3Setp.exe tried to sleep 166 seconds, actually delayed analysis time by 166 seconds
file C:\Users\test22\AppData\Roaming\1367098.exe
file C:\Users\test22\AppData\Roaming\6295721.exe
file C:\Users\test22\AppData\Roaming\1670125.exe
file C:\Users\test22\AppData\Roaming\8145709.exe
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\WinHost
filepath: C:\Users\test22\AppData\Roaming\WinHost
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe
filepath: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe
1 1 0
file C:\Users\test22\AppData\Roaming\1670125.exe
file C:\Users\test22\AppData\Roaming\6295721.exe
file C:\Users\test22\AppData\Roaming\1367098.exe
file C:\Users\test22\AppData\Roaming\8145709.exe
file C:\Users\test22\AppData\Roaming\1670125.exe
file C:\Users\test22\AppData\Roaming\1367098.exe
file C:\Users\test22\AppData\Roaming\6295721.exe
file C:\Users\test22\AppData\Roaming\8145709.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1670125.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1670125.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\6295721.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\6295721.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1367098.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1367098.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\8145709.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\8145709.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00014600', u'virtual_address': u'0x00002000', u'entropy': 7.204970400164372, u'name': u'.text', u'virtual_size': u'0x00014454'} entropy 7.20497040016 description A section with a high entropy has been found
entropy 0.543333333333 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Virtual currency rule Virtual_currency_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 1052
process_handle: 0x00000314
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 1052
process_handle: 0x00000314
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2092
process_handle: 0x000002f0
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2092
process_handle: 0x000002f0
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2196
process_handle: 0x000002e4
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2196
process_handle: 0x000002e4
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 812
process_handle: 0x000002b0
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 812
process_handle: 0x000002b0
1 0 0
host 194.5.98.144
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ec
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2092
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002dc
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002c8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002cc
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 852
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002fc
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinHost reg_value C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe
Process injection Process 584 manipulating memory of non-child process 1052
Process injection Process 584 manipulating memory of non-child process 2092
Process injection Process 584 manipulating memory of non-child process 2196
Process injection Process 584 manipulating memory of non-child process 812
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ec
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2092
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002dc
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002c8
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002cc
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELùi=¬à 0P "d €@ À@…ÐcO€ä  ´c  H.text˜N P `.rsrcä€T@@.reloc  \@B
base_address: 0x00400000
process_identifier: 852
process_handle: 0x000002fc
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ä€TT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameCheechakos.exe(LegalCopyright FOriginalFilenameCheechakos.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ô‚ê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00418000
process_identifier: 852
process_handle: 0x000002fc
1 1 0

WriteProcessMemory

 buffer: ` $4
base_address: 0x0041a000
process_identifier: 852
process_handle: 0x000002fc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 852
process_handle: 0x000002fc
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELùi=¬à 0P "d €@ À@…ÐcO€ä  ´c  H.text˜N P `.rsrcä€T@@.reloc  \@B
base_address: 0x00400000
process_identifier: 852
process_handle: 0x000002fc
1 1 0
Process injection Process 584 called NtSetContextThread to modify thread in remote process 852
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4285474
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002b0
process_identifier: 852
1 0 0
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
Process injection Process 584 resumed a thread in remote process 852
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002b0
suspend_count: 1
process_identifier: 852
1 0 0
Elastic malicious (high confidence)
FireEye Generic.mg.192157321ae17032
McAfee Artemis!192157321AE1
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba TrojanDownloader:MSIL/GenKryptik.62dcc6fc
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZemsilF.34722.jm0@a4dbsro
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/GenKryptik.EWGN
APEX Malicious
Avast Win32:Trojan-gen
Paloalto generic.ml
AegisLab Trojan.MSIL.Voda.a!c
Tencent Msil.Trojan-downloader.Voda.Dxcz
Sophos Mal/Generic-S
McAfee-GW-Edition Artemis!Trojan
Ikarus Trojan.MSIL.Confuser
eGambit Unsafe.AI_Score_99%
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Wacatac.B!ml
VBA32 CIL.HeapOverride.Heur
TrendMicro-HouseCall TROJ_GEN.R002H0DF321
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Voda.EWGN!tr.dldr
AVG Win32:Trojan-gen
Cybereason malicious.16148b
dead_host 45.93.6.203:80
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x000000000000017c
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e8
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001fc
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000210
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2948
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000288
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000000000002a0
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000000000003e0
suspend_count: 1
process_identifier: 2948
1 0 0

CreateProcessInternalW

 thread_identifier: 2696
thread_handle: 0x0000000000000760
process_identifier: 1808
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\1670125.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\1670125.exe"
filepath_r: C:\Users\test22\AppData\Roaming\1670125.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000768
1 1 0

CreateProcessInternalW

 thread_identifier: 2472
thread_handle: 0x0000000000000760
process_identifier: 1276
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\6295721.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\6295721.exe"
filepath_r: C:\Users\test22\AppData\Roaming\6295721.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000754
1 1 0

CreateProcessInternalW

 thread_identifier: 2704
thread_handle: 0x0000000000000768
process_identifier: 1348
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\1367098.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\1367098.exe"
filepath_r: C:\Users\test22\AppData\Roaming\1367098.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000000000000076c
1 1 0

CreateProcessInternalW

 thread_identifier: 2084
thread_handle: 0x0000000000000760
process_identifier: 584
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\8145709.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\8145709.exe"
filepath_r: C:\Users\test22\AppData\Roaming\8145709.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000764
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x000001f4
suspend_count: 1
process_identifier: 1808
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1808
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1276
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1276
1 0 0