popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

المريض باسل دراغمة_0001 pdf.exe

UPX Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer PDF GIF Format PE File OS Processor Check JPEG Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 10, 2021, 9:27 a.m. Aug. 10, 2021, 9:29 a.m.
Size 4.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d60edd62ea6f2965e663c1a4ed2fdea8
SHA256 f2f36a72cfb25cef74ff0ea8e3ad1c49c6dc3e128fd60a2717f4c5a225e20df2
CRC32 9025B2E0
ssdeep 49152:Gbr+E4KzVfTYS+mb2euhB9/RgE4ksagGKHMn6sE3HYTa+1ak5HomXobrZM6bbbzu:Gbt4rmb2euhB9/lwGlne6jodbNBW
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Packer_Zero - Malicious Packer
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals

Name Response Post-Analysis Lookup
dorothymambrose.live
A 198.54.116.130
198.54.116.130
IP Address Status Action
164.124.101.2 Active Moloch
198.54.116.130 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
section .itext
section .didata
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name PDF
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
TMethodImplementationIntercept+0x1db759 dbkFCallWrapperAddr-0x30fb3 'DE1J6 ('3D /1':E)_0001 pdf+0x2bc68d @ 0x6bc68d
TMethodImplementationIntercept+0x1dba20 dbkFCallWrapperAddr-0x30cec 'DE1J6 ('3D /1':E)_0001 pdf+0x2bc954 @ 0x6bc954
TMethodImplementationIntercept+0x1e6c1d dbkFCallWrapperAddr-0x25aef 'DE1J6 ('3D /1':E)_0001 pdf+0x2c7b51 @ 0x6c7b51
TMethodImplementationIntercept+0x1e6efd dbkFCallWrapperAddr-0x2580f 'DE1J6 ('3D /1':E)_0001 pdf+0x2c7e31 @ 0x6c7e31
TMethodImplementationIntercept+0x1e5f6f dbkFCallWrapperAddr-0x2679d 'DE1J6 ('3D /1':E)_0001 pdf+0x2c6ea3 @ 0x6c6ea3
TMethodImplementationIntercept+0x1e6982 dbkFCallWrapperAddr-0x25d8a 'DE1J6 ('3D /1':E)_0001 pdf+0x2c78b6 @ 0x6c78b6
TMethodImplementationIntercept+0x1e998e dbkFCallWrapperAddr-0x22d7e 'DE1J6 ('3D /1':E)_0001 pdf+0x2ca8c2 @ 0x6ca8c2
TMethodImplementationIntercept+0x1f3af7 dbkFCallWrapperAddr-0x18c15 'DE1J6 ('3D /1':E)_0001 pdf+0x2d4a2b @ 0x6d4a2b
TMethodImplementationIntercept+0x1f2e0a dbkFCallWrapperAddr-0x19902 'DE1J6 ('3D /1':E)_0001 pdf+0x2d3d3e @ 0x6d3d3e
TMethodImplementationIntercept+0x1f3a0b dbkFCallWrapperAddr-0x18d01 'DE1J6 ('3D /1':E)_0001 pdf+0x2d493f @ 0x6d493f
__dbk_fcall_wrapper+0x72efe TMethodImplementationIntercept-0x5cc5a 'DE1J6 ('3D /1':E)_0001 pdf+0x842da @ 0x4842da
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a
TMethodImplementationIntercept+0x13d5e4 dbkFCallWrapperAddr-0xcf128 'DE1J6 ('3D /1':E)_0001 pdf+0x21e518 @ 0x61e518

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 1636728
registers.edi: 36223312
registers.eax: 1636728
registers.ebp: 1636808
registers.edx: 0
registers.ebx: 12175
registers.esi: 36223104
registers.ecx: 7
1 0 0
suspicious_features POST method with no referer header suspicious_request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/Bbf0VKK5GZjWAo2phPwe
suspicious_features POST method with no referer header suspicious_request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/g5cBEYiSfa9vFvj9Qix6
suspicious_features POST method with no referer header suspicious_request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/jkHs2LXmxxRKvBtHVYp
suspicious_features POST method with no referer header suspicious_request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/PhZsaXdR1V7zV9wmdXNv
request GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
request GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
request GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
request GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/Bbf0VKK5GZjWAo2phPwe
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/g5cBEYiSfa9vFvj9Qix6
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/jkHs2LXmxxRKvBtHVYp
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/PhZsaXdR1V7zV9wmdXNv
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/Bbf0VKK5GZjWAo2phPwe
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/g5cBEYiSfa9vFvj9Qix6
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/jkHs2LXmxxRKvBtHVYp
request POST http://dorothymambrose.live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/PhZsaXdR1V7zV9wmdXNv
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\basel.pdf
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\المريض باسل دراغمة_0001 pdf.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\المريض باسل دراغمة_0001 pdf.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000003b8
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: smss.exe
process_identifier: 232
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: csrss.exe
process_identifier: 312
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: wininit.exe
process_identifier: 340
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: winlogon.exe
process_identifier: 404
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 716
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 792
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 836
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: audiodg.exe
process_identifier: 896
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: spoolsv.exe
process_identifier: 1032
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 1084
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: taskhost.exe
process_identifier: 1152
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 1372
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: sppsvc.exe
process_identifier: 1676
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: svchost.exe
process_identifier: 1748
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: dwm.exe
process_identifier: 1900
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: explorer.exe
process_identifier: 1924
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: pw.exe
process_identifier: 2016
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: SearchIndexer.exe
process_identifier: 1180
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: SearchFilterHost.exe
process_identifier: 1124
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: mobsync.exe
process_identifier: 2876
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: pw.exe
process_identifier: 2920
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: taskhost.exe
process_identifier: 2944
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: SearchProtocolHost.exe
process_identifier: 1620
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: المريض باسل دراغمة_0001 pdf.exe
process_identifier: 1268
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: AcroRd32.exe
process_identifier: 2484
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: RdrCEF.exe
process_identifier: 2620
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: RdrCEF.exe
process_identifier: 2696
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: RdrCEF.exe
process_identifier: 2168
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: cmd.exe
process_identifier: 2356
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: conhost.exe
process_identifier: 2200
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: pw.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x000003b8
process_name: RdrCEF.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000003c4
process_name: RdrCEF.exe
process_identifier: 2916
1 1 0

Process32NextW

 snapshot_handle: 0x000003c4
process_name: RdrCEF.exe
process_identifier: 2832
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00125e00', u'virtual_address': u'0x00338000', u'entropy': 7.474719615245471, u'name': u'.rsrc', u'virtual_size': u'0x00125e00'} entropy 7.47471961525 description A section with a high entropy has been found
entropy 0.26589007012 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000001e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000001e8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x00000538
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x00000548
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x00000540
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2620
process_handle: 0x000003ec
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2620
process_handle: 0x000003ec
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2696
process_handle: 0x000003ec
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2696
process_handle: 0x000003ec
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2168
process_handle: 0x000003f0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2168
process_handle: 0x000003f0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 292
process_handle: 0x000003f0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 292
process_handle: 0x000003f0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2916
process_handle: 0x000003b8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2916
process_handle: 0x000003b8
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2832
process_handle: 0x000003b8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2832
process_handle: 0x000003b8
1 0 0
cmdline "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\basel.pdf"
cmdline "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\المريض باسل دراغمة_0001 pdf.lnk
wmi SELECT * FROM AntiVirusProduct
Lionic Trojan.Win32.Bobik.l!c
FireEye Generic.mg.d60edd62ea6f2965
Sangfor Trojan.Win32.Bobik.gen
BitDefenderTheta Gen:NN.ZelphiF.34058.@V0@aaHM2lli
Symantec ML.Attribute.HighConfidence
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Bobik.gen
Avast FileRepMalware
Tencent Win32.Trojan-spy.Bobik.Wopq
McAfee-GW-Edition BehavesLike.Win32.Dropper.rh
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1142541
Microsoft Trojan:Win32/Wacatac.B!ml
Cynet Malicious (score: 99)
McAfee Artemis!D60EDD62EA6F
VBA32 TScope.Trojan.Delf
Rising Backdoor.[TA402]Molerats!1.D32D (CLASSIC)
AVG FileRepMalware
Qihoo-360 Win32/TrojanSpy.Bobik.HgIASZ8A
Time & API Arguments Status Return Repeated

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: GET /20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 09 Aug 2021 08:47:47 GMT User-Agent: IPM Host: acroipm2.adobe.com Connection: Keep-Alive Cache-Control: no-cache
socket: 1312
sent: 226
1 226 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: GET /20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 09 Aug 2021 08:47:47 GMT User-Agent: IPM Host: acroipm2.adobe.com Connection: Keep-Alive Cache-Control: no-cache
socket: 1372
sent: 226
1 226 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: GET /20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 09 Aug 2021 08:47:47 GMT User-Agent: IPM Host: acroipm2.adobe.com Connection: Keep-Alive Cache-Control: no-cache
socket: 1364
sent: 226
1 226 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0

send

 buffer: GET /20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 09 Aug 2021 08:47:47 GMT User-Agent: IPM Host: acroipm2.adobe.com Connection: Keep-Alive Cache-Control: no-cache
socket: 1388
sent: 226
1 226 0

send

 buffer: !
socket: 1172
sent: 1
1 1 0
parent_process acrord32.exe martian_process "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043