popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

.csrss.exe

Generic Malware Admin Tool (Sysinternals etc ...) Socket DNS PWS AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 3, 2021, 9:06 a.m. Aug. 3, 2021, 9:28 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 8894b0f72764e1754c1d415dcda7b7f9
SHA256 3f4e7765b271ea4766c05cb4a29e14b22ec22d4ad42da74372fc3b475b0f0566
CRC32 80BCE2AC
ssdeep 24576:12zW76DOvfx8Dgyfx8DgNttkwmEoTwhk+7XPXANwDZuSL:8W76S58Dgy58DgNjkxknvACZ7
Yara
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals

Name Response Post-Analysis Lookup
manvim.co
A 147.182.202.54
147.182.202.54
IP Address Status Action
147.182.202.54 Active Moloch
164.124.101.2 Active Moloch
79.134.225.19 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49167 -> 147.182.202.54:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49167 -> 147.182.202.54:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 147.182.202.54:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49164 -> 147.182.202.54:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 147.182.202.54:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49166 -> 147.182.202.54:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 147.182.202.54:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 147.182.202.54:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 147.182.202.54:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49164 -> 147.182.202.54:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49166 -> 147.182.202.54:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.102:49164 -> 147.182.202.54:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 147.182.202.54:80 -> 192.168.56.102:49167 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.102:49168 -> 147.182.202.54:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49168 -> 147.182.202.54:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 147.182.202.54:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 147.182.202.54:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 147.182.202.54:80 -> 192.168.56.102:49168 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535010
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535110
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535110
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://manvim.co/fd5/fre.php
request POST http://manvim.co/fd5/fre.php
request POST http://manvim.co/fd5/fre.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73a72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00800000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0069a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00801000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0069c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fea2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006ae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3005336
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3005336
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\.csrss.exe
newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\.csrss.exe
1 1 0
section {u'size_of_data': u'0x00120e00', u'virtual_address': u'0x00002000', u'entropy': 7.508121175617934, u'name': u'.text', u'virtual_size': u'0x00120c1c'} entropy 7.50812117562 description A section with a high entropy has been found
entropy 0.954958677686 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.iec.ch
url http://www.ibsensoftware.com/
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Win32 PWS Loki rule Win32_PWS_Loki_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 79.134.225.19
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000264
1 0 0
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
base_address: 0x0041a000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2740
process_handle: 0x00000264
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2740
process_handle: 0x00000264
1 1 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 2740
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000260
process_identifier: 2740
1 0 0
Process injection Process 2056 resumed a thread in remote process 2740
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000260
suspend_count: 1
process_identifier: 2740
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2744
thread_handle: 0x00000260
process_identifier: 2740
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\.csrss.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\.csrss.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000264
1 1 0
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (high confidence)
FireEye Generic.mg.8894b0f72764e175
McAfee Artemis!8894B0F72764
CrowdStrike win/malicious_confidence_80% (W)
Cyren W32/MSIL_Kryptik.DLO.gen!Eldorado
Symantec Scr.Malcode!gdn30
ESET-NOD32 a variant of MSIL/Kryptik.ACET
Kaspersky UDS:DangerousObject.Multi.Generic
DrWeb Trojan.Siggen14.51604
McAfee-GW-Edition BehavesLike.Win32.Generic.tc
APEX Malicious
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:MSIL/AgenteslaPacker!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
VBA32 Malware-Cryptor.MSIL.AgentTesla.Heur
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Agent.GIQ!tr
MaxSecure Trojan.Malware.300983.susgen
Qihoo-360 Win32/TrojanSpy.AgentTesla.HgIASZkA
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2056
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2056
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2056
1 0 0

NtResumeThread

 thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2056
1 0 0

NtResumeThread

 thread_handle: 0x00000258
suspend_count: 1
process_identifier: 2056
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2056
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2056
1 0 0

CreateProcessInternalW

 thread_identifier: 2744
thread_handle: 0x00000260
process_identifier: 2740
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\.csrss.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\.csrss.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000264
1 1 0

NtGetContextThread

 thread_handle: 0x00000260
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2740
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000264
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
base_address: 0x00400000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00415000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
base_address: 0x0041a000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a0000
process_identifier: 2740
process_handle: 0x00000264
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2740
process_handle: 0x00000264
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000260
process_identifier: 2740
1 0 0

NtResumeThread

 thread_handle: 0x00000260
suspend_count: 1
process_identifier: 2740
1 0 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2740
1 0 0