popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

f.exe

AgentTesla info stealer stealer email browser Google Chrome User Data Socket ScreenShot KeyLogger DNS AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 6, 2021, 9:41 p.m. June 6, 2021, 9:43 p.m.
Size 210.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 723425455c102e80649218e45438c39c
SHA256 ccf433b26530eba6adfbc5a390b77702e6418df136a26abe3ef7b5a83e1637bb
CRC32 13822C2E
ssdeep 3072:o6dTUMmLamijtV3u/bPtUsozAJour/i/at+McWtoJBZqQdseKpvKFeULJ8P:SMmRkt2bRYAbV+ZWmBsS0Kf
Yara
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
142.4.200.50 Active Moloch
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
mscorlib+0x2d5861 @ 0x6eeb5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x6fc9a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x6fc9a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x6fd2836a
PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x6fd28404
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x6fbf5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x6fc2932e
mscorlib+0x2d5eb7 @ 0x6eeb5eb7
mscorlib+0x2d5c33 @ 0x6eeb5c33
mscorlib+0x2d7894 @ 0x6eeb7894
mscorlib+0x2d74ff @ 0x6eeb74ff
mscorlib+0x2d71c3 @ 0x6eeb71c3
mscorlib+0x2d48ea @ 0x6eeb48ea
mscorlib+0x36990b @ 0x6ef4990b
0x5615a2
0x561429
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 97 d5 8f 6e e8 2e 3c 97 6e 8b f8 8b ce
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5616c6
registers.esp: 4117524
registers.edi: 4117552
registers.eax: 35807368
registers.ebp: 4117564
registers.edx: 35807320
registers.ebx: 35807192
registers.esi: 35807320
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
mscorlib+0x2d5861 @ 0x6eeb5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x6fc9a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x6fc9a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x6fd2836a
PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x6fd28404
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x6fbf5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x6fc2932e
mscorlib+0x2d5eb7 @ 0x6eeb5eb7
mscorlib+0x2d5c33 @ 0x6eeb5c33
mscorlib+0x2d7894 @ 0x6eeb7894
mscorlib+0x2d74ff @ 0x6eeb74ff
mscorlib+0x2d71c3 @ 0x6eeb71c3
mscorlib+0x2d48ea @ 0x6eeb48ea
mscorlib+0x36990b @ 0x6ef4990b
0x5615a2
0x561429
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 97 d5 8f 6e e8 2e 3c 97 6e 8b f8 8b ce
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5616c6
registers.esp: 4117524
registers.edi: 4117552
registers.eax: 35831088
registers.ebp: 4117564
registers.edx: 35831040
registers.ebx: 35830968
registers.esi: 35831040
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x568b85
0x567c47
0x56556a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
0x561402
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4122700
registers.edi: 1990713288
registers.eax: 16777216
registers.ebp: 4122904
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x568b85
0x567c47
0x56556a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
0x561402
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4122700
registers.edi: 1990713288
registers.eax: 4194304
registers.ebp: 4122904
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x568b85
0x567c47
0x56556a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
0x561402
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4122700
registers.edi: 1990713288
registers.eax: 19464192
registers.ebp: 4122904
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x568b85
0x567c47
0x56556a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
0x561402
0x561392
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4122700
registers.edi: 1990713288
registers.eax: 12910592
registers.ebp: 4122904
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00560000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00561000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00562000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00563000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00564000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00565000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00566000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00567000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00568000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00569000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 6200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00030800', u'virtual_address': u'0x00002000', u'entropy': 7.833992264991208, u'name': u'.text', u'virtual_size': u'0x000306a4'} entropy 7.83399226499 description A section with a high entropy has been found
section {u'size_of_data': u'0x00003e00', u'virtual_address': u'0x00034000', u'entropy': 7.690223283440492, u'name': u'.rsrc', u'virtual_size': u'0x00003ca4'} entropy 7.69022328344 description A section with a high entropy has been found
entropy 0.997619047619 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 142.4.200.50
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 6200
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000028c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x00400000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00435000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 6200
process_handle: 0x0000028c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x00400000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0
Process injection Process 8024 called NtSetContextThread to modify thread in remote process 6200
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000288
process_identifier: 6200
1 0 0
Process injection Process 8024 resumed a thread in remote process 6200
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000288
suspend_count: 1
process_identifier: 6200
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 8024
1 0 0

CreateProcessInternalW

 thread_identifier: 3624
thread_handle: 0x00000288
process_identifier: 6200
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\InstallUtil.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000028c
1 1 0

NtGetContextThread

 thread_handle: 0x00000288
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6200
region_size: 221184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000028c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELr:k_à œhS$0@`jí  10äPô À3ø.texth P`.data<o0p@`À.eh_framØ †@0@.bss„f°€`À.edata1 Œ@0@.idataä0Ž@0À.relocô P¤@0B
base_address: 0x00400000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00423000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(Peÿÿ9A†A ƒC q AÃAÆHdeÿÿ,C h`|eÿÿ,C hx”eÿÿFC0BÌeÿÿFC0B¨fÿÿ>C0zzR| ˆ fÿÿaAƒC0| AÃA @`fÿÿaAƒC0| AÃA d¬fÿÿaAƒC0| AÃA ˆøfÿÿICZ E S E JzR| ˆÌÿÿzR| ˆàfÿÿ+C gzR| ˆ àfÿÿKD†A ƒ}ÃEÆ0@ gÿÿœA‡A †CƒH ‹Aà AÆAÇ,txgÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¨gÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üàgÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8DhÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x„iÿÿþA‡A †AƒC Ø Aà AÆAÇA °Ljÿÿ‚AƒC x AÃA 4Ô¸jÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 kÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DhkÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<¸kÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<@nÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ÀoÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<hxÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<pyÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0042a000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: r:k_( ( ( ( 
base_address: 0x00432000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00433000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0ñ0122K3W3¢3944y5T6?8¿8Ò9Ú9Z:;!=+=6=Ü=æ=ñ=­>í>!?+?6? `Î14<4{4’4¢4´4Æ4Ý4è4j55‘5£5µ5Ì5×5c6z6Š6œ6®6Å6Ð6R7i7y7‹77´7¿7p9:;:q:‡:—:§:Ç:å: ;ª<è?÷?0800+0¸0Ç0Ö0í0ÿ0¦1²1Æ1Ý1ï1!2,2M2\23333.393@3G3\3d3k3r3„33–33³3»3Â3É3Û3æ3í3ô3 444 424=4D4K4R5Y5o5y55–5ª5´5Ì5Ó5ç5î5ÿ566&6E6L6_6i66†6˜6¢6±6¸6Ð6Ý6ç6ö677+767W7i7©7»7Ñ7ã7!888N8f8¡8«8Â8Ø8é9ð9::!:(:@:L:h:o:Š:”:¤:«:µ:¼:å:ì:ý:;;%;9;F;R;Y;s;};„;;Ÿ;­;Õ;Ü;÷; <$<.<L<`<x<†<¢<´<Ã<Ö<ì<= ??I?]?d?Í?î?@$0,0N0»1Ø1ù1 232¸24(4L4]44š4Ë4A5G5T5¯5Ê5Ñ5Û5â5é5ñ5ø5 666,656?6F6M6Z6a6l6u6|6‰666¦6­6º6Á6Ì6Õ6Ü6é6ð677'7-747=7d7k7í7õ7ü7 888%8-848A8I8P8h8u88˜8¥8²8É8Õ8â8ø89(9/969U9j9:;:C:M:ò:;#;-;y;á;< <<<8<M<_<…<Ú<ö<1=H=‹=’=™=¥=¬=³=º=Ã=Ê=Ñ=Ø=å= >,>K>R>k>~>„>š>¦>«>±>K?T??˜?²?Ö?Ý?æ?ú?P r00†0‹0—0ž0¥0Y1h1w1í1 22+2;2H2T2e2t2ƒ2’2¡2°2¿2Î2Ý2ì2û2 3(3-3E3J3h3m33š3»3Þ3ã3³4º4×4é4 55!5(555=5I5P5a5i5q5x5˜5Ê5Õ5_<ü<Ì=>>F>K>X>Æ>ó>þ>?`?k?„?Œ?‘?ž?`P 000;0¸0Ñ0Ù0í12&202C2H2M2[2€2‡2£2½2 3Í4c68&8P8‘9#:Ò:Ç<==5=¼=>¿>£?¾?p, 0À455?5e5¬5N6©78‚:Š;Ã;à;ø;<ú<U=€„„0¦0ô2W3m3}3V5a6v6‰6“6À67~7ž7ü7S8Ú8æ899B9™9ý9::¾:Ä:Ú:á:ï:X;^;Ÿ;¥;»;Â;Î;Ú;!<^<â<è<þ<==‚=ˆ=É=Ï=å=ì=8>¶>Ã>ê>÷>?4?’?°?Ì?á?Ä 0$0<0T0l0„0œ0´0Ì0ä0ü01,1a1l11¤1©1³1Ý120262A2Ž2 3313D33—3Ë3Ó3è344;4k4s4—4Ÿ4ï4„66Ò6ß6ÿ67S7`7†7¢7¶7Â7Þ7æ788|89F9Ý9ˆ:£:;¯;<<Q<i<†<™<©<¸<Ó<ï<==='=7=[=¹=Á=‚>4?a?•?º?×?à?é?ò?û? |0 000(010:0C0L0+151­1 292©2¶2Å2÷263…3½3Ð3Ü3ö3þ34444i4‰4>5Š5’546’6 77g7o7_8s8‹8Â8Ê8Ù89V9z9´9»9Ð9å9:u:”:®:Î:K;°0Ì:¯;õ;<ž<ä<=§=Ë=>;>î>?&?E?­?Â?å?ÿ?Àx0¦0È0U1{1Ž1×1ã1ø12.2w2ƒ2˜2»2Î23#3M33²3Í3ø3#4N4y4¤4Ï4ú4#5J5s5ž5õ5 6˜8:9:;:¨:Þ:F<= =R=^=…=ø=G>[>‰>Î>?T?|??Ðhä0A1€1´1ç1$2T2‡2Ä2ô2'3d3”3Ç3484k4ë4ý5Z6™6Í67=7m7 7Ý7 8@8}8­8à89Q9„9:>;3<<Õ<!=>>u>?1?^?Û?ü?à<ï0º2]3ý5¥6ð6797x7¤7î78S8w8«8Ì8è89"9<9Z97<o>9?A?N?ð@ò1{33£3Í6ª7ñ9\:|:‹;Ÿ;³;†=’=ð=>>,>‡>“>ñ>? ?-?ˆ?”?ò?h0!0.0‰0•0ó01"1/1Ž1›1ê1þ12&2…2’2á2õ233x3„3 4ƒ::±:½:C;’;<=™=¥=ª=¯=´=¹=À=Ñ=î=û= >>%>9>>>U>,?4!6H7Æ7U8Ô8¥9à9‡:—;™<è<}= ?l?€?§?³? y0Ð1C2M2b2ü2›8"=0r<=¨=>Ô>à>@\…0à0ì0c1x1›1Å1ß1í122„3È34!4W4›4£4Ì4 5œ5À5á5÷56Y6Ü6ô6s7Â7q89¶:+;„;Ñ;2<—=Ñ=û=Ä?P A2 2`D}0Ð0]1d1­1´1ö13¥3¬3×3Þ34*4ƒ4Š4š4¡45„5‹5Æ6Í679>96<C<P<í<ô<pª=»=Ì=ƒ>>\?e?€p0¹778B8h8#98;æ;62F2v4}4 4Î3Õ34 474»4Â499þ;<m<s<€<*=<=W=B>U>b>®>µ>° ¨1¯1¤45m5M6Z6’8š8:µ:À G?k?Ð(1X1µ1¡2®2»2ž3ª3Ý3X7_79s=O>V>àY0ê4ñ4¦:¢;ø;)=H=ð(A3H3 4m5k7b9°<¾?Æ?Î?Ö?Þ?æ?î?ö?þ?¤0000&0.060>0F0N0V0^0f0n0v0~0†0Ž0–0ž0¦0®0¶0¾0Æ0Î0Ö0Þ0æ0î0ö0þ01111&1.161>1F1N1V1^1f1n1v1~1†1Ž1–1ž1¦1®1¶1¾1Æ1Î1Ö1Þ1æ1î1ö1þ12222&2.262>2F2N2V2^2f2n2v2~2†2Ž2–2ž2¦2®2¶2¾2Æ2Î2Ö2Þ2æ2î2ö2þ23333&3.363>3F3N3V3^3f3n3v3~3†3Ž3–3ž3¦3®3¶3¾3Æ3Î3Ö3Þ3æ3î3ö3þ34444&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5š56o6¿6 7>7E7K7y7®7µ7»7é78%8+8Ñ8 >>>/>6><>‡>Ç>Î>Ô>*?W?^?d?ö?ý?H0<1C1I1Ë2Ò2Ø254<4B4’4™4Ÿ4u8|8‚8ö:ý:;>;>E>W>a>°>¾>Ë>Ò>ú>?? 11161=1C1P4 ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<< <<<<< <$<(<,<0<4<8<<<@<D<H<L<`<d<h<l<p<t<x<|<€<== ===== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=€=„=ˆ=Œ==”=˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?p°L0P0T0X0\0`0d0h0l0p0t0¤6¨6¬6°6´6¸6¼6À6Ä6È6Ì6Ð6 77777 7::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:€0 000$0,040<0D0L0
base_address: 0x00435000
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 6200
process_handle: 0x0000028c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203603
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000288
process_identifier: 6200
1 0 0

NtResumeThread

 thread_handle: 0x00000288
suspend_count: 1
process_identifier: 6200
1 0 0
Elastic malicious (high confidence)
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba TrojanDownloader:MSIL/Kryptik.846fafd4
K7GW Trojan ( 0057d9b11 )
Cybereason malicious.55c102
BitDefenderTheta Gen:NN.ZemsilF.34722.nm0@auSkV7m
Cyren W32/MSIL_Kryptik.DYY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.ABHH
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.MSIL.Seraph.gen
Paloalto generic.ml
AegisLab Trojan.MSIL.Seraph.a!c
TrendMicro TROJ_GEN.R002C0PF521
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
FireEye Generic.mg.723425455c102e80
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
MaxSecure Trojan.Malware.300983.susgen
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan.Agent.H9D057
Cynet Malicious (score: 100)
McAfee PWS-FCYU!723425455C10
Malwarebytes Backdoor.BabylonRAT
TrendMicro-HouseCall TROJ_GEN.R002C0PF521
Rising Trojan.FakeChrome!1.9C7B (CLASSIC)
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Kryptik.ABHH!tr
Webroot W32.Trojan.Gen
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)
dead_host 142.4.200.50:7878
dead_host 192.168.56.102:49810