popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

student-cctv-video(private).exe

AgentTesla info stealer stealer email browser Google Malicious Library Chrome User Data UPX Code injection ScreenShot KeyLogger DNS persistence Socket AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 4, 2021, 5:28 p.m. Aug. 4, 2021, 5:30 p.m.
Size 359.0KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 dbd37b8c044a27ec8008c6489231075f
SHA256 5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
CRC32 22BD7B0B
ssdeep 6144:ZlfjLIs254Cz4FatkOAOqQxM3QLylFzk8x2dQ325Y/XDzQsFv:Z9jLIs25BrxM3+yHY84dQmGzz7F
PDB Path E:\cplusplus\Shoot\Adobe Acrobat\Release\Adobe Acrobat.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
66.154.103.106 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
pdb_path E:\cplusplus\Shoot\Adobe Acrobat\Release\Adobe Acrobat.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 1524
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00350000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
cmdline C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\student-cctv-video(private).exe" "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe"
section {u'size_of_data': u'0x00029200', u'virtual_address': u'0x0002d000', u'entropy': 7.975035152338735, u'name': u'.data', u'virtual_size': u'0x0002a408'} entropy 7.97503515234 description A section with a high entropy has been found
entropy 0.459497206704 description Overall entropy of this PE file is high
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description email clients info stealer rule infoStealer_emailClients_Zero
description Take ScreenShot rule ScreenShot
description browser info stealer rule infoStealer_browser_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Install itself for autorun at Windows startup rule Persistence
cmdline C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\student-cctv-video(private).exe" "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe"
cmdline REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Acrobat.exe"
host 66.154.103.106
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1808
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat reg_value C:\Users\test22\AppData\Local\Adobe Acrobat.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x00427000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x0042f000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x00432000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1808
process_handle: 0x000000d4
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0
Process injection Process 1524 called NtSetContextThread to modify thread in remote process 1808
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2006188484
registers.esp: 1506628
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 1808
1 0 0
Process injection Process 1524 resumed a thread in remote process 1808
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000cc
suspend_count: 1
process_identifier: 1808
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1524
1 0 0

CreateProcessInternalW

 thread_identifier: 1796
thread_handle: 0x000000d4
process_identifier: 1016
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\student-cctv-video(private).exe" "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x000000cc
1 1 0

CreateProcessInternalW

 thread_identifier: 1940
thread_handle: 0x000000cc
process_identifier: 1808
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\student-cctv-video(private).exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\student-cctv-video(private).exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000d4
1 1 0

NtGetContextThread

 thread_handle: 0x000000cc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1808
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000d4
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x00400000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00422000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x00427000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00428000
process_identifier: 1808
process_handle: 0x000000d4
0 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x0042f000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00430000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x00432000
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1808
process_handle: 0x000000d4
1 1 0

NtSetContextThread

 registers.eip: 2006188484
registers.esp: 1506628
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x000000cc
suspend_count: 1
process_identifier: 1808
1 0 0

CreateProcessInternalW

 thread_identifier: 1120
thread_handle: 0x00000084
process_identifier: 1608
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Acrobat.exe"
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Bkav W32.AIDetect.malware1
Lionic Trojan.Win32.NetWiredRC.m!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Johnnie.372218
FireEye Generic.mg.dbd37b8c044a27ec
Qihoo-360 Win32/Backdoor.NetWire.HgIASZYA
ALYac Gen:Variant.Johnnie.372218
Malwarebytes Malware.AI.334160484
Sangfor Trojan.Win32.Save.a
Alibaba Backdoor:Win32/NetWiredRC.87e6b9b8
Cybereason malicious.76fe9b
Cyren W32/Trojan.MDZV-6496
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.NetWiredRC.gen
BitDefender Gen:Variant.Johnnie.372218
Avast Win32:Malware-gen
Ad-Aware Gen:Variant.Johnnie.372218
Emsisoft Gen:Variant.Johnnie.372218 (B)
TrendMicro TrojanSpy.Win32.TRICKBOT.SMC
McAfee-GW-Edition BehavesLike.Win32.Trojan.fc
Sophos Mal/Generic-S
Ikarus Trojan.NetWiredRC
Avira TR/AD.NetWiredRc.nbefz
MAX malware (ai score=81)
Microsoft Trojan:Win32/Woreflint.A!cl
GData Gen:Variant.Johnnie.372218
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.TRICKBOT.C4567194
McAfee Artemis!DBD37B8C044A
VBA32 BScope.Backdoor.NetWiredRC
Cylance Unsafe
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.SMC
Tencent Win32.Backdoor.Netwiredrc.Wvkl
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/TrojanSpy_Win32_TRICKBOT.SMC
BitDefenderTheta Gen:NN.ZexaF.34050.wu0@auw5GCdi
AVG Win32:Malware-gen
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
MaxSecure Trojan.Malware.300983.susgen