popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

maaacccc..exe

AgentTesla info stealer stealer email browser Google Chrome User Data Code injection Socket ScreenShot KeyLogger DNS persistence AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 19, 2021, 9:57 a.m. June 19, 2021, 10:02 a.m.
Size 346.0KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 0061d17ff54d214c5ea6867cb815caea
SHA256 fd413ec8d9d798c28fc99c0633e6477f6eabc218788ad37c93be4de758a02962
CRC32 C62DD8E8
ssdeep 6144:gmoTVbtce+HAeeASCTqdAOaQxM3QLylFzk8x2dQ32/Y/XDzZKa:gnTVbtcmqTi7xM3+yHY84dQmgzzQa
PDB Path E:\cplusplus\new\Adobe Acrobat\Release\Adobe Acrobat.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
66.154.103.106 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
pdb_path E:\cplusplus\new\Adobe Acrobat\Release\Adobe Acrobat.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 1080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
cmdline C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
section {u'size_of_data': u'0x00029000', u'virtual_address': u'0x0002d000', u'entropy': 7.981490441574027, u'name': u'.data', u'virtual_size': u'0x0002a120'} entropy 7.98149044157 description A section with a high entropy has been found
entropy 0.475362318841 description Overall entropy of this PE file is high
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Install itself for autorun at Windows startup rule Persistence
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Install itself for autorun at Windows startup rule Persistence
cmdline REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Reader.exe"
cmdline C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
host 66.154.103.106
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000070
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 1556
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000070
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader reg_value C:\Users\test22\AppData\Local\Adobe Reader.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x00427000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x0042f000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x00432000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1556
process_handle: 0x00000070
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1556
process_handle: 0x00000070
1 1 0
Process injection Process 1896 called NtSetContextThread to modify thread in remote process 1556
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 2490032
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000006c
process_identifier: 1556
1 0 0
Process injection Process 1080 resumed a thread in remote process 1896
Process injection Process 1896 resumed a thread in remote process 1556
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000006c
suspend_count: 1
process_identifier: 1896
1 0 0

NtResumeThread

 thread_handle: 0x0000006c
suspend_count: 1
process_identifier: 1556
1 0 0
dead_host 66.154.103.106:13371
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x0000006c
process_identifier: 1896
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\maaacccc..exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\maaacccc..exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000070
1 1 0

NtGetContextThread

 thread_handle: 0x0000006c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000070
3221225496 0

NtResumeThread

 thread_handle: 0x0000006c
suspend_count: 1
process_identifier: 1896
1 0 0

CreateProcessInternalW

 thread_identifier: 1756
thread_handle: 0x0000006c
process_identifier: 1556
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\maaacccc..exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\maaacccc..exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000070
1 1 0

NtGetContextThread

 thread_handle: 0x0000006c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1556
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000070
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00422000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x00427000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00428000
process_identifier: 1556
process_handle: 0x00000070
0 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x0042f000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00430000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x00432000
process_identifier: 1556
process_handle: 0x00000070
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1556
process_handle: 0x00000070
1 1 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 2490032
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000006c
process_identifier: 1556
1 0 0

NtResumeThread

 thread_handle: 0x0000006c
suspend_count: 1
process_identifier: 1556
1 0 0

CreateProcessInternalW

 thread_identifier: 1304
thread_handle: 0x00000078
process_identifier: 2056
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000074
1 1 0

CreateProcessInternalW

 thread_identifier: 2112
thread_handle: 0x00000088
process_identifier: 1048
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Reader.exe"
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46498186
FireEye Generic.mg.0061d17ff54d214c
ALYac Trojan.GenericKD.46498186
Cylance Unsafe
AegisLab Trojan.Win32.Malicious.4!c
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0057e29a1 )
Alibaba Backdoor:Win32/Kryptik.f42bebb8
K7GW Trojan ( 0057e29a1 )
Cybereason malicious.f2a9fc
BitDefenderTheta Gen:NN.ZexaF.34758.vu0@aSHTY2ei
Cyren W32/Trojan.HSCI-7028
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HLJN
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.NetWiredRC.gen
BitDefender Trojan.GenericKD.46498186
Avast Win32:Malware-gen
Ad-Aware Trojan.GenericKD.46498186
Emsisoft Trojan.GenericKD.46498186 (B)
TrendMicro TrojanSpy.Win32.TRICKBOT.SMC
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos Mal/Generic-S + Mal/Generic-L
Ikarus Trojan.Win32.Crypt
eGambit Unsafe.AI_Score_99%
Avira TR/AD.NetWiredRc.jcaqx
Microsoft Trojan:Script/Phonzy.B!ml
GData Trojan.GenericKD.46498186
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.TRICKBOT.C4528991
Acronis suspicious
McAfee RDN/Generic PWS.y
MAX malware (ai score=83)
VBA32 BScope.Trojan.Wacatac
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.SMC
SentinelOne Static AI - Malicious PE
Fortinet W32/TrojanSpy_Win32_TRICKBOT.SMC
Webroot W32.TRICKBOT
AVG Win32:Malware-gen
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)