popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

KDSIE.exe

UPX Escalate priviledges Socket ScreenShot Create Service DNS PE File .NET EXE PE32 AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 5, 2022, 9:50 a.m. Dec. 5, 2022, 9:53 a.m.
Size 8.5MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 0de080bdd3889d099ced53db9d587ca3
SHA256 5bd2e7b57ed34528049df57f83315978d762a743ec6a73392bb0e3bc815e70ad
CRC32 FEB76E47
ssdeep 98304:PKnuirDYDfU3QopOKH85dX15k6b/VDon2re+wAMgqMMOoU/ayN023xh6f3qrSn0B:PKnB8KAdF5/DHpMSMOjbRW3MB
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.google.com
A 172.217.27.4
172.217.161.228
IP Address Status Action
164.124.101.2 Active Moloch
172.217.27.4 Active Moloch
194.190.152.92 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49174 -> 194.190.152.92:5404 2037087 ET MALWARE Win32/Unknown Stealer Command (geoblock) (Outbound) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 194.190.152.92:5404 2037084 ET MALWARE Win32/Unknown Stealer Command (filegrab) (Outbound) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 194.190.152.92:5404 2037085 ET MALWARE Win32/Unknown Stealer Command (loader) (Outbound) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 194.190.152.92:5404 2037086 ET MALWARE Win32/Unknown Stealer Command (domaindetect) (Outbound) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 194.190.152.92:5404 2037088 ET MALWARE Win32/Unknown Stealer CnC Log Exfil Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 194.190.152.92:5404 2037088 ET MALWARE Win32/Unknown Stealer CnC Log Exfil Malware Command and Control Activity Detected
TCP 194.190.152.92:5404 -> 192.168.56.101:49175 2260003 SURICATA Applayer Protocol detection skipped Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 172.217.27.4:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
172.217.27.4:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 78:c8:75:67:11:10:cc:4e:f6:7a:ae:7c:09:54:a1:f7:44:d8:18:e0

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00845c80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00845cc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00845cc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008468c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008468c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00845fc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://www.google.com/
request GET https://www.google.com/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00860000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00580000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00631000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00632000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00633000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ebe2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00634000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00635000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00637000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00638000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00639000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00981000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06351000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06352000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06353000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06354000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06355000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06356000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06357000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06358000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 38400
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07f20400
process_handle: 0xffffffff
3221225550 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnldfbidonfeldmalbflbmlebbipcnle\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\memijejgibaodndkimcclfapfladdchj\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icblpoalghoakidcjiheabnkijnklhhe\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jjmgklicacbmnjlefkjmggcomejjpclk\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhl\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkklifkecemccedpkhcebagjpehhabfb\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\
wmi Select * from Win32_VideoController
wmi Select * from Win32_Processor
wmi Select * from Win32_OperatingSystem
wmi Select * from Win32_PhysicalMemory
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001f4
process_name: vbc.exe
process_identifier: 2856
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: WmiPrvSE.exe
process_identifier: 148
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2820
process_handle: 0x00000648
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2820
process_handle: 0x00000648
1 0 0
wmi Select * from Win32_Processor
wmi Select * from Win32_PhysicalMemory
host 194.190.152.92
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000650
1 0 0

NtProtectVirtualMemory

 process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 5902336
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0x00000650
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description KDSIE.exe tried to sleep 5456418 seconds, actually delayed analysis time by 5456418 seconds
file C:\Users\test22\AppData\Roaming\Bitcoin\wallets\
file C:\Users\test22\AppData\Roaming\Electrum\wallets\
file C:\Users\test22\AppData\Roaming\Litecoin\wallets\
file C:\Users\test22\AppData\Roaming\Quarkcoin\
file C:\Users\test22\AppData\Roaming\bytecoin\
file
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
Process injection Process 2556 manipulating memory of non-child process 2820
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2820
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 5902336
protection: 1 (PAGE_NOACCESS)
base_address: 0x00400000
process_handle: 0x0000063c
3221225496 0
Process injection Process 2556 injected into non-child 2820
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00410000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: zR| ˆà_«ÿ›C V G (8da«ÿéAƒC bC LC j  d(b«ÿ?C@{|Pb«ÿC \b«ÿC ¤hb«ÿ¸db«ÿzR| ˆ¨\ÝÿwC A D zR| ˆTô\ÝÿwA‡A †AƒC0x Cà AÆAÇE T Aà AÆAÇA SAà AÆAÇzR| ˆ]Ýÿ$C0`zR| ˆ<]Ýÿ³A…A ‡A†AƒC’ AÃAÆ AÇAÅC zR| ˆPl]ÝÿÞA…A ‡A†AƒC0¥ CÃAÆ AÇAÅF _AÃAÆ CÇAÅzR| ˆ,à]ÝÿQA…B I‡†ƒR ÃAÆAÇAÅ G zR| ˆ$øaÝÿ]ƒH  …AÅ _ÃzR| ˆÈbÝÿ1N\ 4ðbÝÿRAƒC o AÃD X,cÝÿzR| ˆ cÝÿCC U H `D<PcÝÿ¡A†A ƒC d  FÃAÆH o  FÃAÆJ _ FÃAÆ„¸cÝÿzR| ˆ8œcÝÿ`A†A ƒC LI PC jC C AÃAÆ,XÀcÝÿsQƒC sN OE C AÃA 8ˆdÝÿˆAƒC P CÃI LH xE C AÃK 0ÄddÝÿ¼C Z C [ E iC Z J dC zR| ˆØdÝÿJA†A ƒC d<eÝÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA H¤eÝÿêj‡A †AƒC0“ Aà AÆAÇK û Aà AÆAÇB zR| ˆ<gÝÿ'A…A ‡A†AƒCP& AÃAÆ AÇAÅG <\ jÝÿ'A…C ‡A†CƒC@Ê CÃAÆ AÇAÅE <œükÝÿA‡D †Aƒk à AÆAÇE Y à FÆAÇA DÜ\lÝÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ($tlÝÿIA†C ƒE o  AÃAÆF (P˜lÝÿKA†C ƒC z  AÃAÆA <|¼lÝÿ’A…B F‡†ƒÉ ÃAÆAÇAÅ K " ÃAÆAÇAÅ K ,¼uÝÿõA…B F‡†ƒF ÃAÆAÇAÅ F @ììuÝÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,ðuÝÿA…B F‡†ƒ´ ÃAÆAÇAÅ H zR| ˆ@ÈyÝÿéA†A ƒHàPØCàW  CÃAÆH M  CÃAÆG L`tzÝÿ¸A†A ƒHàPØCàW  CÃAÆH M  CÃAÆG [ CÃAÆT°äzÝÿÿA…A ‡A†AƒFÀS CÃAÆ AÇAÅE S CÃAÆ AÇAÅG Œ|ÝÿOAƒCv CÃC (,¸|ÝÿBAƒC VC Q AÃA ,XÜ|Ýÿ_AƒC VC R AÃH eAÈ }Ýÿ'CQ A 4¤ }ÝÿqA†A ƒC R  AÃAÆG N AÃAÆ
base_address: 0x0095b000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: ,®ŠbŒ°W (°WP°Wx°WL£W€¾$`¼$ ½$@½$½$à¾$à½$°¼$ ¾$–°W¨°W½°WаWå°W÷°W±W±W5±WD±W a.out.exe_cgo_dummy_exportauthorizerTrampolinecallbackTrampolinecommitHookTrampolinecompareTrampolinedoneTrampolinepreUpdateHookTrampolinerollbackHookTrampolinestepTrampolineupdateHookTrampoline
base_address: 0x0098b000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: àrr
base_address: 0x0098e000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: ð—ð—l£—à—
base_address: 0x0098f000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: €0€HXX<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>
base_address: 0x00990000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: A
base_address: 0xfffde008
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00400000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: zR| ˆà_«ÿ›C V G (8da«ÿéAƒC bC LC j  d(b«ÿ?C@{|Pb«ÿC \b«ÿC ¤hb«ÿ¸db«ÿzR| ˆ¨\ÝÿwC A D zR| ˆTô\ÝÿwA‡A †AƒC0x Cà AÆAÇE T Aà AÆAÇA SAà AÆAÇzR| ˆ]Ýÿ$C0`zR| ˆ<]Ýÿ³A…A ‡A†AƒC’ AÃAÆ AÇAÅC zR| ˆPl]ÝÿÞA…A ‡A†AƒC0¥ CÃAÆ AÇAÅF _AÃAÆ CÇAÅzR| ˆ,à]ÝÿQA…B I‡†ƒR ÃAÆAÇAÅ G zR| ˆ$øaÝÿ]ƒH  …AÅ _ÃzR| ˆÈbÝÿ1N\ 4ðbÝÿRAƒC o AÃD X,cÝÿzR| ˆ cÝÿCC U H `D<PcÝÿ¡A†A ƒC d  FÃAÆH o  FÃAÆJ _ FÃAÆ„¸cÝÿzR| ˆ8œcÝÿ`A†A ƒC LI PC jC C AÃAÆ,XÀcÝÿsQƒC sN OE C AÃA 8ˆdÝÿˆAƒC P CÃI LH xE C AÃK 0ÄddÝÿ¼C Z C [ E iC Z J dC zR| ˆØdÝÿJA†A ƒC d<eÝÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA H¤eÝÿêj‡A †AƒC0“ Aà AÆAÇK û Aà AÆAÇB zR| ˆ<gÝÿ'A…A ‡A†AƒCP& AÃAÆ AÇAÅG <\ jÝÿ'A…C ‡A†CƒC@Ê CÃAÆ AÇAÅE <œükÝÿA‡D †Aƒk à AÆAÇE Y à FÆAÇA DÜ\lÝÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ($tlÝÿIA†C ƒE o  AÃAÆF (P˜lÝÿKA†C ƒC z  AÃAÆA <|¼lÝÿ’A…B F‡†ƒÉ ÃAÆAÇAÅ K " ÃAÆAÇAÅ K ,¼uÝÿõA…B F‡†ƒF ÃAÆAÇAÅ F @ììuÝÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,ðuÝÿA…B F‡†ƒ´ ÃAÆAÇAÅ H zR| ˆ@ÈyÝÿéA†A ƒHàPØCàW  CÃAÆH M  CÃAÆG L`tzÝÿ¸A†A ƒHàPØCàW  CÃAÆH M  CÃAÆG [ CÃAÆT°äzÝÿÿA…A ‡A†AƒFÀS CÃAÆ AÇAÅE S CÃAÆ AÇAÅG Œ|ÝÿOAƒCv CÃC (,¸|ÝÿBAƒC VC Q AÃA ,XÜ|Ýÿ_AƒC VC R AÃH eAÈ }Ýÿ'CQ A 4¤ }ÝÿqA†A ƒC R  AÃAÆG N AÃAÆ
base_address: 0x0094b000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: ,®ŠbŒ°W (°WP°Wx°WL£W€¾$`¼$ ½$@½$½$à¾$à½$°¼$ ¾$–°W¨°W½°WаWå°W÷°W±W±W5±WD±W a.out.exe_cgo_dummy_exportauthorizerTrampolinecallbackTrampolinecommitHookTrampolinecompareTrampolinedoneTrampolinepreUpdateHookTrampolinerollbackHookTrampolinestepTrampolineupdateHookTrampoline
base_address: 0x0097b000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: àrr
base_address: 0x0097e000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: ð—ð—l£—à—
base_address: 0x0097f000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: €0€HXX<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>
base_address: 0x00980000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2856
process_handle: 0x00000650
1 1 0
Process injection Process 2556 injected into non-child 2820
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00410000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00400000
process_identifier: 2856
process_handle: 0x00000650
1 1 0
Process injection Process 2556 called NtSetContextThread to modify thread in remote process 2856
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199152
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000064c
process_identifier: 2856
1 0 0
process dwm.exe
process srvany.exe
process system
process spoolsv.exe
process: potential process injection target wininit.exe
process vbc.exe
process: potential process injection target winlogon.exe
process: potential process injection target csrss.exe
process kmservice.exe
process: potential process injection target explorer.exe
process: potential process injection target smss.exe
process taskhost.exe
process audiodg.exe
process wmiprvse.exe
process sppsvc.exe
process pw.exe
process lsm.exe
process: potential process injection target lsass.exe
process: potential process injection target services.exe
process searchindexer.exe
process conhost.exe
process: potential process injection target svchost.exe
file C:\Users\test22\AppData\Local\Temp\vbc.exe.lock
file C:\Users\test22\AppData\Local\Temp\KDSIE.exe\:Zone.Identifier
Process injection Process 2556 resumed a thread in remote process 2856
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 2856
1 0 0
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x001df9a9
function_name: wine_get_version
module: ntdll
module_address: 0x76f10000
3221225785 0
dead_host 192.168.56.101:49175
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000348
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 2556
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x000005f8
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x0000060c
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000620
suspend_count: 1
process_identifier: 2556
1 0 0

CreateProcessInternalW

 thread_identifier: 2824
thread_handle: 0x00000638
process_identifier: 2820
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000063c
1 1 0

NtGetContextThread

 thread_handle: 0x00000638
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2820
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000063c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00410000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00411000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00735000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00754000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: zR| ˆà_«ÿ›C V G (8da«ÿéAƒC bC LC j  d(b«ÿ?C@{|Pb«ÿC \b«ÿC ¤hb«ÿ¸db«ÿzR| ˆ¨\ÝÿwC A D zR| ˆTô\ÝÿwA‡A †AƒC0x Cà AÆAÇE T Aà AÆAÇA SAà AÆAÇzR| ˆ]Ýÿ$C0`zR| ˆ<]Ýÿ³A…A ‡A†AƒC’ AÃAÆ AÇAÅC zR| ˆPl]ÝÿÞA…A ‡A†AƒC0¥ CÃAÆ AÇAÅF _AÃAÆ CÇAÅzR| ˆ,à]ÝÿQA…B I‡†ƒR ÃAÆAÇAÅ G zR| ˆ$øaÝÿ]ƒH  …AÅ _ÃzR| ˆÈbÝÿ1N\ 4ðbÝÿRAƒC o AÃD X,cÝÿzR| ˆ cÝÿCC U H `D<PcÝÿ¡A†A ƒC d  FÃAÆH o  FÃAÆJ _ FÃAÆ„¸cÝÿzR| ˆ8œcÝÿ`A†A ƒC LI PC jC C AÃAÆ,XÀcÝÿsQƒC sN OE C AÃA 8ˆdÝÿˆAƒC P CÃI LH xE C AÃK 0ÄddÝÿ¼C Z C [ E iC Z J dC zR| ˆØdÝÿJA†A ƒC d<eÝÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA H¤eÝÿêj‡A †AƒC0“ Aà AÆAÇK û Aà AÆAÇB zR| ˆ<gÝÿ'A…A ‡A†AƒCP& AÃAÆ AÇAÅG <\ jÝÿ'A…C ‡A†CƒC@Ê CÃAÆ AÇAÅE <œükÝÿA‡D †Aƒk à AÆAÇE Y à FÆAÇA DÜ\lÝÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ($tlÝÿIA†C ƒE o  AÃAÆF (P˜lÝÿKA†C ƒC z  AÃAÆA <|¼lÝÿ’A…B F‡†ƒÉ ÃAÆAÇAÅ K " ÃAÆAÇAÅ K ,¼uÝÿõA…B F‡†ƒF ÃAÆAÇAÅ F @ììuÝÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,ðuÝÿA…B F‡†ƒ´ ÃAÆAÇAÅ H zR| ˆ@ÈyÝÿéA†A ƒHàPØCàW  CÃAÆH M  CÃAÆG L`tzÝÿ¸A†A ƒHàPØCàW  CÃAÆH M  CÃAÆG [ CÃAÆT°äzÝÿÿA…A ‡A†AƒFÀS CÃAÆ AÇAÅE S CÃAÆ AÇAÅG Œ|ÝÿOAƒCv CÃC (,¸|ÝÿBAƒC VC Q AÃA ,XÜ|Ýÿ_AƒC VC R AÃH eAÈ }Ýÿ'CQ A 4¤ }ÝÿqA†A ƒC R  AÃAÆG N AÃAÆ
base_address: 0x0095b000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: ,®ŠbŒ°W (°WP°Wx°WL£W€¾$`¼$ ½$@½$½$à¾$à½$°¼$ ¾$–°W¨°W½°WаWå°W÷°W±W±W5±WD±W a.out.exe_cgo_dummy_exportauthorizerTrampolinecallbackTrampolinecommitHookTrampolinecompareTrampolinedoneTrampolinepreUpdateHookTrampolinerollbackHookTrampolinestepTrampolineupdateHookTrampoline
base_address: 0x0098b000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0098c000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: àrr
base_address: 0x0098e000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: ð—ð—l£—à—
base_address: 0x0098f000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: €0€HXX<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>
base_address: 0x00990000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00991000
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

WriteProcessMemory

 buffer: A
base_address: 0xfffde008
process_identifier: 2820
process_handle: 0x0000063c
1 1 0

CreateProcessInternalW

 thread_identifier: 2860
thread_handle: 0x0000064c
process_identifier: 2856
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000650
1 1 0

NtGetContextThread

 thread_handle: 0x0000064c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 5902336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000650
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ,®Šbà.  82¬VäðP2@ZyåV@ °WYÀWœXèXÌððWàÂW.text7282```.data´éP2ê<2@`À.rdataxk @4l &4@`@.eh_fram °T ’T@0@.bss°ãÀT€`À.edataY°WžT@0@.idataœÀW T@0À.CRTàW´T@0À.tls ðW¶T@0À.rsrcèX¸T@0À.relocÌðXò¾T@0B
base_address: 0x00400000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00725000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00744000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: zR| ˆà_«ÿ›C V G (8da«ÿéAƒC bC LC j  d(b«ÿ?C@{|Pb«ÿC \b«ÿC ¤hb«ÿ¸db«ÿzR| ˆ¨\ÝÿwC A D zR| ˆTô\ÝÿwA‡A †AƒC0x Cà AÆAÇE T Aà AÆAÇA SAà AÆAÇzR| ˆ]Ýÿ$C0`zR| ˆ<]Ýÿ³A…A ‡A†AƒC’ AÃAÆ AÇAÅC zR| ˆPl]ÝÿÞA…A ‡A†AƒC0¥ CÃAÆ AÇAÅF _AÃAÆ CÇAÅzR| ˆ,à]ÝÿQA…B I‡†ƒR ÃAÆAÇAÅ G zR| ˆ$øaÝÿ]ƒH  …AÅ _ÃzR| ˆÈbÝÿ1N\ 4ðbÝÿRAƒC o AÃD X,cÝÿzR| ˆ cÝÿCC U H `D<PcÝÿ¡A†A ƒC d  FÃAÆH o  FÃAÆJ _ FÃAÆ„¸cÝÿzR| ˆ8œcÝÿ`A†A ƒC LI PC jC C AÃAÆ,XÀcÝÿsQƒC sN OE C AÃA 8ˆdÝÿˆAƒC P CÃI LH xE C AÃK 0ÄddÝÿ¼C Z C [ E iC Z J dC zR| ˆØdÝÿJA†A ƒC d<eÝÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA H¤eÝÿêj‡A †AƒC0“ Aà AÆAÇK û Aà AÆAÇB zR| ˆ<gÝÿ'A…A ‡A†AƒCP& AÃAÆ AÇAÅG <\ jÝÿ'A…C ‡A†CƒC@Ê CÃAÆ AÇAÅE <œükÝÿA‡D †Aƒk à AÆAÇE Y à FÆAÇA DÜ\lÝÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ($tlÝÿIA†C ƒE o  AÃAÆF (P˜lÝÿKA†C ƒC z  AÃAÆA <|¼lÝÿ’A…B F‡†ƒÉ ÃAÆAÇAÅ K " ÃAÆAÇAÅ K ,¼uÝÿõA…B F‡†ƒF ÃAÆAÇAÅ F @ììuÝÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,ðuÝÿA…B F‡†ƒ´ ÃAÆAÇAÅ H zR| ˆ@ÈyÝÿéA†A ƒHàPØCàW  CÃAÆH M  CÃAÆG L`tzÝÿ¸A†A ƒHàPØCàW  CÃAÆH M  CÃAÆG [ CÃAÆT°äzÝÿÿA…A ‡A†AƒFÀS CÃAÆ AÇAÅE S CÃAÆ AÇAÅG Œ|ÝÿOAƒCv CÃC (,¸|ÝÿBAƒC VC Q AÃA ,XÜ|Ýÿ_AƒC VC R AÃH eAÈ }Ýÿ'CQ A 4¤ }ÝÿqA†A ƒC R  AÃAÆG N AÃAÆ
base_address: 0x0094b000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: ,®ŠbŒ°W (°WP°Wx°WL£W€¾$`¼$ ½$@½$½$à¾$à½$°¼$ ¾$–°W¨°W½°WаWå°W÷°W±W±W5±WD±W a.out.exe_cgo_dummy_exportauthorizerTrampolinecallbackTrampolinecommitHookTrampolinecompareTrampolinedoneTrampolinepreUpdateHookTrampolinerollbackHookTrampolinestepTrampolineupdateHookTrampoline
base_address: 0x0097b000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0097c000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: àrr
base_address: 0x0097e000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: ð—ð—l£—à—
base_address: 0x0097f000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: €0€HXX<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>
base_address: 0x00980000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00981000
process_identifier: 2856
process_handle: 0x00000650
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2856
process_handle: 0x00000650
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199152
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000064c
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x000000b8
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x000000bc
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x000000f0
suspend_count: 1
process_identifier: 2856
1 0 0

NtGetContextThread

 thread_handle: 0x00000128
1 0 0
MicroWorld-eScan Gen:Variant.Lazy.269992
FireEye Generic.mg.0de080bdd3889d09
ALYac Gen:Variant.Lazy.269992
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba TrojanPSW:MSIL/Stealer.d4fd130b
Cybereason malicious.384454
Arcabit Trojan.Lazy.D41EA8
BitDefenderTheta Gen:NN.ZemsilF.36106.@p2@aup1vAfi
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.OES
TrendMicro-HouseCall TROJ_GEN.R002H0CL422
Kaspersky HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender Gen:Variant.Lazy.269992
Cynet Malicious (score: 99)
Avast Win32:Trojan-gen
Tencent Msil.Trojan-Downloader.Ader.Gajl
Ad-Aware Gen:Variant.Lazy.269992
Emsisoft Gen:Variant.Lazy.269992 (B)
VIPRE Gen:Variant.Lazy.269992
McAfee-GW-Edition Artemis!Trojan
SentinelOne Static AI - Malicious PE
Trapmine suspicious.low.ml.score
Sophos Mal/Generic-S
APEX Malicious
Avira TR/Dldr.Agent.yhvuv
MAX malware (ai score=81)
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Gen:Variant.Lazy.269992
Google Detected
Acronis suspicious
McAfee Artemis!0DE080BDD388
VBA32 Malware-Cryptor.MSIL.AgentTesla.Heur
Ikarus Trojan.MSIL.Crypt
Fortinet MSIL/Agent.OES!tr.dldr
AVG Win32:Trojan-gen
CrowdStrike win/malicious_confidence_100% (W)