popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

msword.exe

Generic Malware email stealer Downloader Admin Tool (Sysinternals etc ...) Code injection Escalate priviledges KeyLogger DNS persistence AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 19, 2021, 7:05 p.m. Aug. 19, 2021, 7:19 p.m.
Size 1007.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 389c1a165c6169966cee944569e9ad35
SHA256 0a5b23381f3dad38b0fc246044ea939a7c6cc047a2b7c0210216eb70a48ecfc6
CRC32 5786E9B5
ssdeep 12288:qqpDc9F3nC0Py3gAhDkGsHOMHpueG/YvV6AnZrkTOwkXAiNB5kUWCEmn3+Q9OeCa:q2VMHYEv1nxwkQiT5kUUM9p7
Yara
  • PE_Header_Zero - PE File Signature
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Generic_Malware_Zero - Generic Malware
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.18.7.156 Active Moloch
164.124.101.2 Active Moloch
20.150.137.35 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\KAeTSLnbLVOpr" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00374cf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00374df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00374df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
msword+0x3626 @ 0x403626
msword+0x1145b @ 0x41145b
msword+0x13649 @ 0x413649
msword+0x5d61 @ 0x405d61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76a63118
registers.esp: 3340336
registers.edi: 3340476
registers.eax: 3340360
registers.ebp: 3340376
registers.edx: 47513600
registers.ebx: 3340616
registers.esi: 3340632
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00545000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0051a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00537000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00536000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00761000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0051c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ff02000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00762000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00763000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00764000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00765000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00766000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00767000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00768000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00769000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x057f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x057f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
cmdline schtasks.exe /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
wmi
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
filepath: schtasks.exe
1 1 0
section {u'size_of_data': u'0x000d1600', u'virtual_address': u'0x00002000', u'entropy': 7.259818163445891, u'name': u'.text', u'virtual_size': u'0x000d1594'} entropy 7.25981816345 description A section with a high entropy has been found
entropy 0.832091405862 description Overall entropy of this PE file is high
description Communications use DNS rule Network_DNS
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description email clients info stealer rule infoStealer_emailClients_Zero
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
cmdline schtasks.exe /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
host 104.18.7.156
host 20.150.137.35
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003f8
1 0 0
file C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $z]üÕ><’†><’†><’†ý3͆?<’†7D†?<’†ý3φ<<’†úÿ†?<’†úü†=<’†;0†?<’†7D†:<’†7D†!<’†><“†Ù<’†­U›‡N<’†­Um†?<’†­U‡?<’†Rich><’†PELœûI_à 0Úâ\@@@@…wðp, ¨ u@p.text«.0 `.rdataÎI@J4@@.dataØP~@À.rsrcp,ð.„@@.reloc¨ ²@B.bss0Â@@
base_address: 0x00400000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
base_address: 0x00419000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: 2AƦ+ú‹Í_¡ä0ÏÂIí%µ[ §+uWÀ­`½^¤ö¥8`Ö¹Á™8ú*¾!S£«ÑŽRƒyè93’Çë‰ ÊZÏP=±€J…3ÔíôÖQ2ÅkyYÚ½åMCØuTA§„çýO0ãtiƞ,w¹ÏA ˆÞ¤“Q®1rF¨®
base_address: 0x00553000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2408
process_handle: 0x000003f8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $z]üÕ><’†><’†><’†ý3͆?<’†7D†?<’†ý3φ<<’†úÿ†?<’†úü†=<’†;0†?<’†7D†:<’†7D†!<’†><“†Ù<’†­U›‡N<’†­Um†?<’†­U‡?<’†Rich><’†PELœûI_à 0Úâ\@@@@…wðp, ¨ u@p.text«.0 `.rdataÎI@J4@@.dataØP~@À.rsrcp,ð.„@@.reloc¨ ²@B.bss0Â@@
base_address: 0x00400000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0
Process injection Process 2020 called NtSetContextThread to modify thread in remote process 2408
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4218082
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000368
process_identifier: 2408
1 0 0
file C:\Users\test22\AppData\Local\Temp\:Zone.Identifier
Process injection Process 2020 resumed a thread in remote process 2408
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2408
1 0 0
Elastic malicious (high confidence)
FireEye Generic.mg.389c1a165c616996
McAfee AgentTesla-FCTJ!389C1A165C61
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_90% (D)
Cyren W32/MSIL_Troj.BJP.gen!Eldorado
Symantec Scr.Malcode!gdn30
ESET-NOD32 a variant of MSIL/Kryptik.ACMR
APEX Malicious
Paloalto generic.ml
Avast Win32:PWSX-gen [Trj]
Sophos ML/PE-A
DrWeb Trojan.DownLoader41.15659
McAfee-GW-Edition AgentTesla-FCTJ!389C1A165C61
SentinelOne Static AI - Malicious PE
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZemsilF.34088.!m0@aKy13mp
Malwarebytes Trojan.MalPack.PNG.Generic
eGambit Unsafe.AI_Score_87%
Fortinet MSIL/AgentTesla.QKZL!tr
AVG Win32:PWSX-gen [Trj]
Qihoo-360 HEUR/QVM03.0.5B7B.Malware.Gen
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x00000260
suspend_count: 1
process_identifier: 2020
1 0 0

CreateProcessInternalW

 thread_identifier: 2320
thread_handle: 0x000003e0
process_identifier: 2324
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAeTSLnbLVOpr" /XML "C:\Users\test22\AppData\Local\Temp\tmp2EE4.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003e8
1 1 0

CreateProcessInternalW

 thread_identifier: 1784
thread_handle: 0x00000368
process_identifier: 2408
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\msword.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\msword.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000003f8
1 1 0

NtGetContextThread

 thread_handle: 0x00000368
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003f8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $z]üÕ><’†><’†><’†ý3͆?<’†7D†?<’†ý3φ<<’†úÿ†?<’†úü†=<’†;0†?<’†7D†:<’†7D†!<’†><“†Ù<’†­U›‡N<’†­Um†?<’†­U‡?<’†Rich><’†PELœûI_à 0Úâ\@@@@…wðp, ¨ u@p.text«.0 `.rdataÎI@J4@@.dataØP~@À.rsrcp,ð.„@@.reloc¨ ²@B.bss0Â@@
base_address: 0x00400000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00414000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
base_address: 0x00419000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0054f000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00552000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: 2AƦ+ú‹Í_¡ä0ÏÂIí%µ[ §+uWÀ­`½^¤ö¥8`Ö¹Á™8ú*¾!S£«ÑŽRƒyè93’Çë‰ ÊZÏP=±€J…3ÔíôÖQ2ÅkyYÚ½åMCØuTA§„çýO0ãtiƞ,w¹ÏA ˆÞ¤“Q®1rF¨®
base_address: 0x00553000
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2408
process_handle: 0x000003f8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4218082
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000368
process_identifier: 2408
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2408
1 0 0