popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

adopepdf.exe

Emotet Gen1 NSIS Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot KeyLogger Anti_VM AntiDebug PE File OS Processor Check PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 26, 2021, 10:21 a.m. June 26, 2021, 10:25 a.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 f930fed502910c89267677b84e2ad7da
SHA256 9ba99db4c643c7b335b73fd5c52062f25f1699cda426b09710db4e0337360e97
CRC32 FA92E2BB
ssdeep 24576:08ybpNuyClMeGMR2M9Hw1LOjlnh3n+87CSui83e:tGOeeGM0wHYLO+87z8u
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • Is_DotNET_EXE - (no description)
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://detectportal.firefox.com/success.txt?ipv4
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00550000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc91000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00572000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00582000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00583000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02090000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00584000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02091000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02092000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02093000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02094000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02095000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00be4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00be4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a50000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a50000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a50000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a52000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b64000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleUpdateBroker.exe
file C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.32\GoogleUpdateSetup.exe
file C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\MSQRY32.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\ACCICONS.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file C:\Python27\Scripts\easy_install.exe
file C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file C:\Program Files (x86)\7-Zip\7z.exe
file C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file C:\Program Files (x86)\EditPlus\editplus.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file C:\Program Files (x86)\Mozilla Thunderbird\maintenanceservice.exe
file C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
file C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file C:\Program Files (x86)\7-Zip\7zFM.exe
file C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file C:\Users\test22\AppData\Local\Temp\3582-490\adopepdf.exe
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\notification_helper.exe
file C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleCrashHandler64.exe
file C:\util\dotnet4.5.exe
file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file C:\Users\test22\AppData\Local\Temp\3582-490\adopepdf.exe
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
section {u'size_of_data': u'0x00192400', u'virtual_address': u'0x00002000', u'entropy': 6.835792703660231, u'name': u'.text', u'virtual_size': u'0x00192284'} entropy 6.83579270366 description A section with a high entropy has been found
entropy 0.998758535071 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8548
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) reg_value C:\Windows\svchost.com "%1" %*
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ t*䀐@°@Pd€ÌpCODE,rt `DATAx@ÀBSS™¨ |À.idatadP |@À.tls`†À.rdatap†@P.relocÌ€ˆ@P.rsrcŽ@P°¢@P
base_address: 0x00400000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@t@ @„#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øà€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿ @ ,Eí͘û¤W€É<AïË½ïW‡Ý{JÖçöJÞ>…@}ü„{댐íêÄþGÌA2ÿœNۂõ¥Ð2ªË+^þÇºãW—Ë µáÙnÊXý±.štÛNóĞt“îâhî„‹À`ˆ²òTø5ýœ‘@@
base_address: 0x00409000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: XRÜPàS4Q T@QLTPQ€T\QÌTpQ U€QöVôQÄW(R8XLRfR~R–R®RÊRØRèRôRSS&S8SJS\SnS|SŠS–S²S¾SÐSìSþST.T>TZTjTŽTœTªT¸TÚTìTüTU$U.U@UVUfU~UŽUšU²UÂUÖUìUVV&V4VJVZVlVzVŠVœV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWŠW WºWÐWÜWêWøWX XX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA
base_address: 0x00415000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: `A`A@pA
base_address: 0x00417000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:  0 000"0*020:0B0J0R0Z0b0j0r0z0‚0Š0’0¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(11—1ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r77š7¥7­7·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u8€8†8“8™8³8º8Ä8Î8Ø8ä8ï89999/9:9[9s9’9ª9²9ò9:W:w:•:¿;Ì;ÿ;<<'<0<;<D<K<Z<a<ƒ<Ü<ä<i=‡=Œ=’=þ=>>>b>k>>§>³>»>î>?2?\?e?u?}?ƒ?Œ?“?˜?ž?±?º?Ø?Þ?æ? 00(0@0L0T0k0z0Š0ª0Â0æ0î0ô0ú0,1P1n1~1„1Œ1ñ1ü12 22$2u2|2Œ2–2œ2¤2ª2°2·2Á2h3‘3¯3»3Ã34#4+4O4o4—4°4É4Ú4ï4ü45Ù5…668A8Q8g8…8›8²8Ç899*929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:“:œ:Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g=“=¨=ó=>>N>R>X>\>a>h>n>v>>>˜>Ä>Ï>ì>ö>?%?/?7?=?K?f?{?…?Š?©?®?³?Õ?é?0 N0W0}0Š0466?6:7C7¡;²;ò;ù; <)<2<><E<Ä< =/=;=B=L=V=m=~=‹=’=–=œ= =¦=­=±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>’>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x?Š?—?£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z0‚0Š0’0š0¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1*121:1B1J1R1Z1b1j1r1z1‚1Š1’1§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x2Š2—2£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w3ƒ33¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4|4ˆ4Œ4•4¡4n5í9Ê:ò:;<Y<‘<Ù<Z=ž=ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 4œ4À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;Š;˜;Ÿ;¦;Ý;‚<¢<š?¼?Ê?`L0Œ3“3Î4‚5¶6ô:(;=;c;Ø;„<<Â<ç<ó<û<===*=:=Z=ì=>A>v>§>Ã>ý>?K?Œ?º?p˜ 040R0…0«0·0Ä0Ö0å011I1™1²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J6Œ6¯6ì67U7w7Ö7u8’8 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;­;<<¤<==u=¸=.>c>¤>¾>ñ> ?Æ?ñ?€h030F0X0\0`0d0h0l0p0t0x0|0€0„0ˆ0Œ00”0˜0œ0 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p000 0
base_address: 0x00418000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 8548
process_handle: 0x000002bc
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ t*䀐@°@Pd€ÌpCODE,rt `DATAx@ÀBSS™¨ |À.idatadP |@À.tls`†À.rdatap†@P.relocÌ€ˆ@P.rsrcŽ@P°¢@P
base_address: 0x00400000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0
Process injection Process 812 called NtSetContextThread to modify thread in remote process 8548
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4227300
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 8548
1 0 0
Process injection Process 812 resumed a thread in remote process 8548
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 8548
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x00000240
suspend_count: 1
process_identifier: 812
1 0 0

CreateProcessInternalW

 thread_identifier: 4980
thread_handle: 0x000001f0
process_identifier: 8548
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\adopepdf.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\test22\AppData\Local\Temp\adopepdf.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002bc
1 1 0

NtGetContextThread

 thread_handle: 0x000001f0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8548
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ t*䀐@°@Pd€ÌpCODE,rt `DATAx@ÀBSS™¨ |À.idatadP |@À.tls`†À.rdatap†@P.relocÌ€ˆ@P.rsrcŽ@P°¢@P
base_address: 0x00400000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@t@ @„#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øà€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿ @ ,Eí͘û¤W€É<AïË½ïW‡Ý{JÖçöJÞ>…@}ü„{댐íêÄþGÌA2ÿœNۂõ¥Ð2ªË+^þÇºãW—Ë µáÙnÊXý±.štÛNóĞt“îâhî„‹À`ˆ²òTø5ýœ‘@@
base_address: 0x00409000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: XRÜPàS4Q T@QLTPQ€T\QÌTpQ U€QöVôQÄW(R8XLRfR~R–R®RÊRØRèRôRSS&S8SJS\SnS|SŠS–S²S¾SÐSìSþST.T>TZTjTŽTœTªT¸TÚTìTüTU$U.U@UVUfU~UŽUšU²UÂUÖUìUVV&V4VJVZVlVzVŠVœV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWŠW WºWÐWÜWêWøWX XX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA
base_address: 0x00415000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: `A`A@pA
base_address: 0x00417000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:  0 000"0*020:0B0J0R0Z0b0j0r0z0‚0Š0’0¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(11—1ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r77š7¥7­7·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u8€8†8“8™8³8º8Ä8Î8Ø8ä8ï89999/9:9[9s9’9ª9²9ò9:W:w:•:¿;Ì;ÿ;<<'<0<;<D<K<Z<a<ƒ<Ü<ä<i=‡=Œ=’=þ=>>>b>k>>§>³>»>î>?2?\?e?u?}?ƒ?Œ?“?˜?ž?±?º?Ø?Þ?æ? 00(0@0L0T0k0z0Š0ª0Â0æ0î0ô0ú0,1P1n1~1„1Œ1ñ1ü12 22$2u2|2Œ2–2œ2¤2ª2°2·2Á2h3‘3¯3»3Ã34#4+4O4o4—4°4É4Ú4ï4ü45Ù5…668A8Q8g8…8›8²8Ç899*929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:“:œ:Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g=“=¨=ó=>>N>R>X>\>a>h>n>v>>>˜>Ä>Ï>ì>ö>?%?/?7?=?K?f?{?…?Š?©?®?³?Õ?é?0 N0W0}0Š0466?6:7C7¡;²;ò;ù; <)<2<><E<Ä< =/=;=B=L=V=m=~=‹=’=–=œ= =¦=­=±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>’>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x?Š?—?£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z0‚0Š0’0š0¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1*121:1B1J1R1Z1b1j1r1z1‚1Š1’1§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x2Š2—2£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w3ƒ33¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4|4ˆ4Œ4•4¡4n5í9Ê:ò:;<Y<‘<Ù<Z=ž=ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 4œ4À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;Š;˜;Ÿ;¦;Ý;‚<¢<š?¼?Ê?`L0Œ3“3Î4‚5¶6ô:(;=;c;Ø;„<<Â<ç<ó<û<===*=:=Z=ì=>A>v>§>Ã>ý>?K?Œ?º?p˜ 040R0…0«0·0Ä0Ö0å011I1™1²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J6Œ6¯6ì67U7w7Ö7u8’8 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;­;<<¤<==u=¸=.>c>¤>¾>ñ> ?Æ?ñ?€h030F0X0\0`0d0h0l0p0t0x0|0€0„0ˆ0Œ00”0˜0œ0 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p000 0
base_address: 0x00418000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00419000
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 8548
process_handle: 0x000002bc
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4227300
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 8548
1 0 0

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 8548
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\3582-490\adopepdf.exe
track: 0
command_line: "C:\Users\test22\AppData\Local\Temp\3582-490\adopepdf.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\adopepdf.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000
0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37142321
FireEye Generic.mg.f930fed502910c89
ALYac Trojan.GenericKD.37142321
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0057e7c11 )
Alibaba Trojan:Win32/Kryptik.ali2000016
K7GW Trojan ( 0057e7c11 )
BitDefenderTheta Gen:NN.ZemsilF.34758.Kn0@aimy9ck
Symantec Trojan.Gen.2
ESET-NOD32 a variant of MSIL/Kryptik.ABQL
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Trojan.GenericKD.37142321
Ad-Aware Trojan.GenericKD.37142321
Emsisoft Trojan.GenericKD.37142321 (B)
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
MAX malware (ai score=81)
Arcabit Trojan.Generic.D236BF31
AegisLab Trojan.MSIL.NanoBot.m!c
Cynet Malicious (score: 100)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.Crypt.MSIL
TrendMicro-HouseCall TROJ_GEN.R002H0DFO21
Ikarus Trojan.MSIL.Krypt
Fortinet MSIL/CoinMiner.YII!tr
Webroot W32.Trojan.Gen
CrowdStrike win/malicious_confidence_80% (W)