popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Swift Copy pdf.exe

Generic Malware email stealer Antivirus ScreenShot DNS Steal credential AntiDebug PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 7, 2021, 2:38 p.m. Oct. 7, 2021, 2:40 p.m.
Size 577.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 604ff60ab55652c44862fad411f633b1
SHA256 7200e442ed8c36cea22fca519b4874a159c194ee208de6175b9731127a8643c6
CRC32 97A09C40
ssdeep 12288:F/IoYdHAlUQ0GyeSaAtonPI34ltbHOBuvyy9NDN8w:BIldHACQ0zinPI34ltL9vyip8w
PDB Path C:\Users\Administrator\Desktop\Client\Temp\dAlUYcfRWw\src\obj\Debug\TextWrit.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)

Name Response Post-Analysis Lookup
norly519.ddns.net
A 185.244.30.198
185.244.30.198
IP Address Status Action
164.124.101.2 Active Moloch
185.244.30.198 Active Moloch
37.235.1.174 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 37.235.1.174:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 37.235.1.174:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 185.244.30.198:7060 2025019 ET MALWARE Possible NanoCore C2 60B Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 185.244.30.198:7060 2025019 ET MALWARE Possible NanoCore C2 60B Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\Swif
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: t Copy pdf.exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the file specified.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee200
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee300
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eddc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eddc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eddc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ee780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002edf00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eeb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path C:\Users\Administrator\Desktop\Client\Temp\dAlUYcfRWw\src\obj\Debug\TextWrit.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain norly519.ddns.net
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00810000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00751000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72142000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00406000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00752000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00753000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00754000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0075f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02920000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dab1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dab2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0271b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02717000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02715000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02920000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera\wand.dat
file C:\Users\test22\AppData\Roaming\Opera\Opera7\profile\wand.dat
file C:\Users\test22\AppData\Local\Temp\mgl1ggbp.com
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe"
cmdline schtasks.exe /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
filepath: schtasks.exe
1 1 0
section {u'size_of_data': u'0x0008fc00', u'virtual_address': u'0x00002000', u'entropy': 7.82616984527935, u'name': u'.text', u'virtual_size': u'0x0008fab4'} entropy 7.82616984528 description A section with a high entropy has been found
entropy 0.996533795494 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.nirsoft.net/
description Take ScreenShot rule ScreenShot
description Steal credential rule local_credential_Steal
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications use DNS rule Network_DNS
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description email clients info stealer rule infoStealer_emailClients_Zero
description Take ScreenShot rule ScreenShot
description Steal credential rule local_credential_Steal
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
cmdline schtasks.exe /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
buffer Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2944
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003c8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3068
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000408
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2760
region_size: 339968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003b4
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description Swift Copy pdf.exe tried to sleep 3118290794 seconds, actually delayed analysis time by 3118290794 seconds
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host reg_value C:\Program Files (x86)\SMTP Host\smtphost.exe
file C:\Users\test22\AppData\Local\Temp\mgl1ggbp.com
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
base_address: 0x00400000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: à ”7
base_address: 0x00420000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ՆŽž‘çà͑çà͑çàÍRè½ÍƒçàÍkĠ͒çàÍKÄü͚çà͑çá͛æàÍkÄù͒çàͶ!’Í·çàͶ!œÍçàͶ!˜ÍçàÍRich‘çàÍPELÃÞRQà  tT @°“®”E܀”/À# ”.text„   `.rdatað7 8@@.datat` F@À.rsrc”/€0R@@
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzdf$Af$Aÿÿðÿððððÿ €€€€€ € € €€ € €€€€€€€ €€  €€€€ €€  €€ €€€€ € € € €€€€€€€€€ €€ € €€ €€€ €  €€ € €€€ €€ € €€€ €  €€ €€€ € € €€€€ € €€€ € €€ €€ € € €€€€ € € €€ €€€ €  € € € € €€ € € €€€ € €B@@@BB@@@@BBB@BBB@B@@B@BBBB@B@@@ @ @@@ @ @@ @@ @@@ @@ @@@ @@@@ @ @ @@@@ @@@@@ @ @ @@@@ @@ @@ @ @@ @@@ @@@@ @ @@ @@@@@ @@ @@                             @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@néxênëxìdñdòPínîxï xð xó xô Põÿÿðÿððððÿabe2869f-9b47-4cd9-a358-c22904dba7f7ÿÿÿk82BD0E67-9FEA-4748-8672-D5EFE5B779B0
base_address: 0x00416000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ít)©dz©dz©dzjkEz«dzjkGz¿dzSGZz¢dzsGz¢dz©dzàezSGzªdzŽ¢hz›dzŽ¢fz¨dzŽ¢bz¨dzRich©dzPEL?ƒRà Ô(&0@0è†tÍð ¼ö`p40D.textÍ `.rdata´0¶"@@.data-ðØ@À.rsrc¼ î@@
base_address: 0x00400000
process_identifier: 2760
process_handle: 0x000003b4
1 1 0

WriteProcessMemory

 buffer: €`€ x€#€&¨€'À€?؀Rð€   ( 8 H X hx!4ä¬#8ää$Xä<%èä$&tä˜&ºäT'hä %d Passwords , %d SelectedCreated by usingSelect a filename to saveWeb Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat) Loading... %d Text FileTab Delimited Text FileTabular Text FileHTML File - HorizontalHTML File - VerticalXML FileComma Delimited Text FileKeePass csv fileOpera Password File All FilesInternet Explorer 4.0 - 6.0Internet Explorer 7.0 - 9.0 Firefox 1.x Firefox 2.x Firefox 3.0FirefoxChromeOperaSafariInternet Explorer 10.0 SeaMonkeyURL Web Browser User NamePasswordPassword StrengthUser Name FieldPassword Field Very WeakWeakMediumStrong Very Strong
base_address: 0x00452000
process_identifier: 2760
process_handle: 0x000003b4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2760
process_handle: 0x000003b4
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
base_address: 0x00400000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ՆŽž‘çà͑çà͑çàÍRè½ÍƒçàÍkĠ͒çàÍKÄü͚çà͑çá͛æàÍkÄù͒çàͶ!’Í·çàͶ!œÍçàͶ!˜ÍçàÍRich‘çàÍPELÃÞRQà  tT @°“®”E܀”/À# ”.text„   `.rdatað7 8@@.datat` F@À.rsrc”/€0R@@
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ít)©dz©dz©dzjkEz«dzjkGz¿dzSGZz¢dzsGz¢dz©dzàezSGzªdzŽ¢hz›dzŽ¢fz¨dzŽ¢bz¨dzRich©dzPEL?ƒRà Ô(&0@0è†tÍð ¼ö`p40D.textÍ `.rdata´0¶"@@.data-ðØ@À.rsrc¼ î@@
base_address: 0x00400000
process_identifier: 2760
process_handle: 0x000003b4
1 1 0
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Process injection Process 1108 called NtSetContextThread to modify thread in remote process 2944
Process injection Process 2944 called NtSetContextThread to modify thread in remote process 3068
Process injection Process 2944 called NtSetContextThread to modify thread in remote process 2760
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003d0
process_identifier: 2944
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4265556
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000040c
process_identifier: 3068
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4466216
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003a4
process_identifier: 2760
1 0 0
file C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe:Zone.Identifier
Process injection Process 1108 resumed a thread in remote process 2944
Process injection Process 2944 resumed a thread in remote process 3068
Process injection Process 2944 resumed a thread in remote process 2760
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003d0
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x0000040c
suspend_count: 1
process_identifier: 3068
1 0 0

NtResumeThread

 thread_handle: 0x000003a4
suspend_count: 1
process_identifier: 2760
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 1108
1 0 0

NtGetContextThread

 thread_handle: 0x00000150
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 1108
1 0 0

CreateProcessInternalW

 thread_identifier: 1760
thread_handle: 0x000003d0
process_identifier: 1120
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d4
1 1 0

CreateProcessInternalW

 thread_identifier: 1164
thread_handle: 0x000003b8
process_identifier: 2420
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tItYvR" /XML "C:\Users\test22\AppData\Local\Temp\tmp1BAA.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003dc
1 1 0

CreateProcessInternalW

 thread_identifier: 2892
thread_handle: 0x000003d0
process_identifier: 2944
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\Swift Copy pdf.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000003c8
1 1 0

NtGetContextThread

 thread_handle: 0x000003d0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2944
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003c8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
base_address: 0x00400000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: à ”7
base_address: 0x00420000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00422000
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2944
process_handle: 0x000003c8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003d0
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003d0
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003bc
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 1120
1 0 0

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 1120
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 1120
1 0 0

NtResumeThread

 thread_handle: 0x000004a8
suspend_count: 1
process_identifier: 1120
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000300
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 2944
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003ec
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000410
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000470
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000004f4
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000534
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x000003d0
suspend_count: 1
process_identifier: 2944
1 0 0

NtResumeThread

 thread_handle: 0x00000558
suspend_count: 1
process_identifier: 2944
1 0 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x0000040c
process_identifier: 3068
current_directory:
filepath: c:\Windows\microsoft.net\framework\v4.0.30319\vbc.exe
track: 1
command_line: "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\test22\AppData\Local\Temp\mgl1ggbp.com"
filepath_r: c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000408
1 1 0

NtGetContextThread

 thread_handle: 0x0000040c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3068
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000408
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ՆŽž‘çà͑çà͑çàÍRè½ÍƒçàÍkĠ͒çàÍKÄü͚çà͑çá͛æàÍkÄù͒çàͶ!’Í·çàͶ!œÍçàͶ!˜ÍçàÍRich‘çàÍPELÃÞRQà  tT @°“®”E܀”/À# ”.text„   `.rdatað7 8@@.datat` F@À.rsrc”/€0R@@
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00412000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzdf$Af$Aÿÿðÿððððÿ €€€€€ € € €€ € €€€€€€€ €€  €€€€ €€  €€ €€€€ € € € €€€€€€€€€ €€ € €€ €€€ €  €€ € €€€ €€ € €€€ €  €€ €€€ € € €€€€ € €€€ € €€ €€ € € €€€€ € € €€ €€€ €  € € € € €€ € € €€€ € €B@@@BB@@@@BBB@BBB@B@@B@BBBB@B@@@ @ @@@ @ @@ @@ @@@ @@ @@@ @@@@ @ @ @@@@ @@@@@ @ @ @@@@ @@ @@ @ @@ @@@ @@@@ @ @@ @@@@@ @@ @@                             @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@néxênëxìdñdòPínîxï xð xó xô Põÿÿðÿððððÿabe2869f-9b47-4cd9-a358-c22904dba7f7ÿÿÿk82BD0E67-9FEA-4748-8672-D5EFE5B779B0
base_address: 0x00416000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00418000
process_identifier: 3068
process_handle: 0x00000408
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3068
process_handle: 0x00000408
1 1 0
Lionic Trojan.MSIL.Agensla.i!c
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader43.35237
MicroWorld-eScan Trojan.GenericKDZ.78567
FireEye Trojan.GenericKDZ.78567
ALYac Trojan.GenericKDZ.78567
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_80% (W)
Cyren W32/MSIL_Kryptik.FTV.gen!Eldorado
ESET-NOD32 a variant of MSIL/Kryptik.ADAS
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKDZ.78567
Avast Win32:MalwareX-gen [Trj]
Tencent Msil.Trojan-qqpass.Qqrob.Wlfr
Ad-Aware Trojan.GenericKDZ.78567
Emsisoft Trojan.GenericKDZ.78567 (B)
McAfee-GW-Edition BehavesLike.Win32.Fareit.hc
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
MAX malware (ai score=81)
Microsoft Trojan:Win32/Woreflint.A!cl
Arcabit Trojan.Generic.D132E7
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData MSIL.Trojan.PSE.1ASJ9OM
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4676872
McAfee PWS-FCZG!604FF60AB556
Malwarebytes Trojan.MalPack.ADC
TrendMicro-HouseCall TROJ_GEN.R002C0WJ621
SentinelOne Static AI - Suspicious PE
Fortinet MSIL/GenKryptik.FLQF!tr
AVG Win32:MalwareX-gen [Trj]
Panda Trj/GdSda.A