Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 15, 2021, 9:38 a.m.	Oct. 15, 2021, 10:08 a.m.

Size	118.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4e956950a9aea405936b0ba0653138ef`
SHA256	`cbba68b38ac9d1694b79a6c58863dcc556d593978da1c5d122b8ac1e0e8ef5cd`
CRC32	`7E52FF68`
ssdeep	`1536:efgIQtdijNtRgby4G8eiCtuhS1s/pQ7YFuCm:Wg+jpj4N1CtXe/pQIW`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Kofi.exe "C:\Users\test22\AppData\Local\Temp\Kofi.exe"
1196
- Kofi.exe "C:\Users\test22\AppData\Local\Temp\Kofi.exe"
  972
  - vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\holdermail.txt"
    2808
  - vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\holderwb.txt"
    2972

Name	Response	Post-Analysis Lookup
whatismyipaddress.com	A 104.16.154.36 A 104.16.155.36	104.16.155.36
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233
mail.kofimade.com	CNAME kofimade.com A 212.1.210.54	212.1.210.54

IP Address	Status	Action
104.16.155.36	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
212.1.210.54	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 212.1.210.54:587 -> 192.168.56.102:49169	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.102:49169 -> 212.1.210.54:587	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 212.1.210.54:587 -> 192.168.56.102:49176	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 212.1.210.54:587	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.102:49169 212.1.210.54:587	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=kofimade.com	98:18:48:39:a9:42:85:ac:13:7f:a6:27:73:76:e5:04:4c:ef:c3:09
TLSv1 192.168.56.102:49176 212.1.210.54:587	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=kofimade.com	98:18:48:39:a9:42:85:ac:13:7f:a6:27:73:76:e5:04:4c:ef:c3:09

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 15, 2021, 9:38 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 15, 2021, 9:38 a.m.			0	0
IsDebuggerPresent Oct. 15, 2021, 9:38 a.m.			0	0
IsDebuggerPresent Oct. 15, 2021, 9:38 a.m.			0	0
IsDebuggerPresent Oct. 15, 2021, 9:38 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0542e4f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0542e578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 15, 2021, 9:38 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0542e578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2021, 9:38 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Oct. 15, 2021, 9:38 a.m.	ip_address: 127.0.0.1 socket: 612 port: 0	1	0
listen Oct. 15, 2021, 9:38 a.m.	socket: 612 backlog: 2147483647	1	0
accept Oct. 15, 2021, 9:38 a.m.	ip_address: 127.0.0.1 socket: 612 port: 0		4294967295

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatismyipaddress.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/893177342426509335/898153497281843220/34E198FA.jpg
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/893177342426509335/898153500754722827/761CEF3D.jpg

Performs some HTTP requests (3 events)

request	GET http://whatismyipaddress.com/
request	GET https://cdn.discordapp.com/attachments/893177342426509335/898153497281843220/34E198FA.jpg
request	GET https://cdn.discordapp.com/attachments/893177342426509335/898153500754722827/761CEF3D.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 844 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00375000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0037b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00377000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00367000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Oct. 15, 2021, 10:06 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Oct. 15, 2021, 10:06 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (50 out of 64 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Login Data

Looks up the external IP address (1 event)

domain

whatismyipaddress.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 15, 2021, 9:38 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 15, 2021, 9:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 15, 2021, 9:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (12 events)

url	http://www.usertrust.com1
url	http://ocsp.comodoca.com0
url	http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
url	http://schemas.openxmlformats.org/markup-compatibility/2006
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl05
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
url	https://secure.comodo.net/CPS0A
url	http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
url	http://www.nirsoft.net/
url	http://crl.usertrust.com/AddTrustExternalCARoot.crl05
url	http://ocsp.usertrust.com0
url	http://crt.comodoca.com/COMODOCodeSigningCA2.crt0

Yara rule detected in process memory (38 events)

description	Communications use DNS	rule	Network_DNS
description	Communications smtp	rule	Network_SMTP_dotNet
description	Virtual currency	rule	Virtual_currency_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Steal credential	rule	local_credential_Steal

Makes SMTP requests, possibly sending spam (2 events)

receiver

[]

sender

[]

server

212.1.210.54

receiver

[]

sender

[]

server

212.1.210.54

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 972 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 2808 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000088c	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 2972 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000064c	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 15, 2021, 9:40 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Kofi.exe tried to sleep 5456630 seconds, actually delayed analysis time by 5456630 seconds

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\bitcoin\wallet.dat

Harvests information related to installed instant messenger clients (1 event)

registry

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELjñfaàÒð @ @@´ïW´ H.textÐ Ò `.rsrc´ Ô@@.reloc Þ@B base_address: 0x00400000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: (H`x¨ÀØèø èä(ä("äLhä( @ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿwwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôppDDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄDDDDDDDDDDDDD@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀÀÿÿÿÿÿÿÿÿÿÿÿÿ( ÀÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿwwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHGLÌÌÌÌÌÌGÄDDDDDDÀÿÿÿÿÿÿ è(PAh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsXBel UFHc(CompanyNameUjs8FileDescriptionCjz RNU0FileVersion0.1.3.1: InternalNameDpAw FLn.exez+LegalCopyrightCopyright 2020 © JsH. All rights reserved.2LegalTrademarksGfaEB OriginalFilenameDpAw FLn.exe2 ProductNameDpAw FLn4ProductVersion1.7.0.68Assembly Version1.7.0.6DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x00480000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: ð0 base_address: 0x00482000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 972 process_handle: 0x00000234	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELjñfaàÒð @ @@´ïW´ H.textÐ Ò `.rsrc´ Ô@@.reloc Þ@B base_address: 0x00400000 process_identifier: 972 process_handle: 0x00000234	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 15, 2021, 9:38 a.m.	thread_identifier: 0 callback_function: 0x00a109c2 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	2490707	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Cyren	W32/MSIL_Kryptik.FVW.gen!Eldorado
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.JCA
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	Artemis
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
McAfee	Artemis!4E956950A9AE
Malwarebytes	Trojan.Crypt.MSIL.Generic
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.JBH!tr
AVG	Win32:PWSX-gen [Trj]

Harvests credentials from local email clients (6 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1196 called NtSetContextThread to modify thread in remote process 972
Process injection	Process 972 called NtSetContextThread to modify thread in remote process 2808
Process injection	Process 972 called NtSetContextThread to modify thread in remote process 2972
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4714510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 972	1	0	0
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000890 process_identifier: 2808	1	0	0
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4466216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005c4 process_identifier: 2972	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1196 resumed a thread in remote process 972
Process injection	Process 972 resumed a thread in remote process 2808
Process injection	Process 972 resumed a thread in remote process 2972
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 972	1	0	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000890 suspend_count: 1 process_identifier: 2808	1	0	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005c4 suspend_count: 1 process_identifier: 2972	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (50 out of 53 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000598 suspend_count: 1 process_identifier: 1196	1	0
NtGetContextThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1196	1	0
CreateProcessInternalW Oct. 15, 2021, 9:38 a.m.	thread_identifier: 2848 thread_handle: 0x00000230 process_identifier: 972 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Kofi.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Kofi.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000230	1	0
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 972 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELjñfaàÒð @ @@´ïW´ H.textÐ Ò `.rsrc´ Ô@@.reloc Þ@B base_address: 0x00400000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: base_address: 0x00402000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: (H`x¨ÀØèø èä(ä("äLhä( @ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿwwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôppDDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄDDDDDDDDDDDDD@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀÀÿÿÿÿÿÿÿÿÿÿÿÿ( ÀÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿwwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHGLÌÌÌÌÌÌGÄDDDDDDÀÿÿÿÿÿÿ è(PAh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsXBel UFHc(CompanyNameUjs8FileDescriptionCjz RNU0FileVersion0.1.3.1: InternalNameDpAw FLn.exez+LegalCopyrightCopyright 2020 © JsH. All rights reserved.2LegalTrademarksGfaEB OriginalFilenameDpAw FLn.exe2 ProductNameDpAw FLn4ProductVersion1.7.0.68Assembly Version1.7.0.6DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x00480000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: ð0 base_address: 0x00482000 process_identifier: 972 process_handle: 0x00000234	1	1
WriteProcessMemory Oct. 15, 2021, 9:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 972 process_handle: 0x00000234	1	1
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4714510 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x0000047c suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000518 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x0000057c suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005b8 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005c4 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005ec suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000640 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000888 suspend_count: 1 process_identifier: 972	1	0
CreateProcessInternalW Oct. 15, 2021, 9:38 a.m.	thread_identifier: 2748 thread_handle: 0x00000890 process_identifier: 2808 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\holdermail.txt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000088c	1	1
NtUnmapViewOfSection Oct. 15, 2021, 9:38 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2808 process_handle: 0x0000088c	1	0
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 2808 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000088c	1	0
NtGetContextThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000890	1	0
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000890 process_identifier: 2808	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000890 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 972	1	0
CreateProcessInternalW Oct. 15, 2021, 9:38 a.m.	thread_identifier: 2960 thread_handle: 0x000005c4 process_identifier: 2972 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\holderwb.txt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000064c	1	1
NtUnmapViewOfSection Oct. 15, 2021, 9:38 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2972 process_handle: 0x0000064c	1	0
NtAllocateVirtualMemory Oct. 15, 2021, 9:38 a.m.	process_identifier: 2972 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000064c	1	0
NtGetContextThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005c4	1	0
NtSetContextThread Oct. 15, 2021, 9:38 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4466216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005c4 process_identifier: 2972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x000005c4 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x0000058c suspend_count: 1 process_identifier: 972	1	0
NtResumeThread Oct. 15, 2021, 9:38 a.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 972	1	0

Kofi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All