popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Dollar.exe

Backdoor Client SW User Data Stealer RemcosRAT info stealer browser Chrome Confuser .NET Downloader Google User Data ScreenShot KeyLogger Internet API Create Service Socket Escalate priviledges DNS PWS Sniff Audio AntiDebug PE64 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 28, 2023, 7:28 a.m. June 28, 2023, 7:39 a.m.
Size 1.8MB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 75c279006f649b36303f4167f5617c53
SHA256 e1cf35a98cc9a3e08243dce9b26b0aa4468cdfa06b4a3f7615f7e088e195bdc4
CRC32 145A907E
ssdeep 49152:5WfOzgIZkaVVqb8cwaEf6019rG3ysy0iXTc:5WfOYaPc2VrSBytY
PDB Path HHHhhHh776.pdb
Yara
  • IsPE64 - (no description)
  • ConfuserEx_Zero - Confuser .NET
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
91.192.100.10 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 91.192.100.10:11010 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49165
91.192.100.10:11010 		None None None

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path HHHhhHh776.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .sdata
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000760000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000008b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a31000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef40cb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000022b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002450000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a32000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a34000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a34000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a34000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3a34000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9435c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94386000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942cd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445552\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777888884\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111118\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666668\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667772\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777881\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111116\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555556\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122223\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666666777777777788888888889999999998\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777888888887\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334442\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777777778888888888991\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666666777777777780\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555554\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1112\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666669\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666670\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777888888888899999996\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556662\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666665\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666666777777777788888888889\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777775\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444446\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111120\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444448\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444551\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666666777777777788888888889992\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222331\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555560\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777777778888888888999994\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333441\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333340\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777777778882\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555557\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222225\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333335\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444447\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777777779\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777888888888899999999999\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111111111222222222233333333334444444444555555555566666666667777777777888888888890\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1111115\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777776\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 111111111122222222223333333333444444444455555555556666666666777777777788883\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11111111112222222222333333333344444444445555555555666666666677777777778888888888999999997\Network\Cookies
section {u'size_of_data': u'0x001c5e00', u'virtual_address': u'0x00002000', u'entropy': 7.993812886578766, u'name': u'.text', u'virtual_size': u'0x001c5c44'} entropy 7.99381288658 description A section with a high entropy has been found
entropy 0.998899587345 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description Win Backdoor RemcosRAT rule Win_Backdoor_RemcosRAT
description Communications over RAW Socket rule Network_TCP_Socket
description File Downloader rule Network_Downloader
description browser info stealer rule infoStealer_browser_Zero
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description Match Windows Inet API call rule Str_Win32_Internet_API
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Run a KeyLogger rule KeyLogger
host 91.192.100.10
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000270
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x0000000000470000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0000000000476000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0000000000477000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a1cb
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 393673 0
Process injection Process 2544 resumed a thread in remote process 2784
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000000000027c
suspend_count: 1
process_identifier: 2784
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x000000000000013c
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000184
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000240
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000258
suspend_count: 1
process_identifier: 2544
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000274
suspend_count: 1
process_identifier: 2544
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000d0
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000d0
suspend_count: 1
process_identifier: 2544
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000d0
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000d0
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000d0
suspend_count: 1
process_identifier: 2544
1 0 0

CreateProcessInternalW

 thread_identifier: 2788
thread_handle: 0x000000000000027c
process_identifier: 2784
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000000000000270
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000270
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000401000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000458000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x0000000000470000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0000000000476000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0000000000477000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000478000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000000047d000
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2784
process_handle: 0x0000000000000270
1 1 0

NtResumeThread

 thread_handle: 0x000000000000027c
suspend_count: 1
process_identifier: 2784
1 0 0
Lionic Trojan.Win32.Remcos.4!c
DrWeb Trojan.DownloaderNET.345
MicroWorld-eScan Trojan.GenericKD.67616285
FireEye Generic.mg.75c279006f649b36
CAT-QuickHeal Trojanpws.Msil
McAfee Artemis!75C279006F64
Cylance unsafe
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 0059d5381 )
Alibaba Trojan:MSIL/Kryptik.4289b944
K7GW Trojan ( 0059d5381 )
Cybereason malicious.3c10b4
VirIT Trojan.Win64.MSIL_Heur.A
Cyren W64/ABRisk.PFUW-1837
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of MSIL/Kryptik.AHQJ
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender Trojan.GenericKD.67616285
Avast Win64:PWSX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Nsmw
Emsisoft Trojan.GenericKD.67616285 (B)
F-Secure Heuristic.HEUR/AGEN.1325558
VIPRE Trojan.GenericKD.67616285
TrendMicro TROJ_GEN.R06EC0XFL23
McAfee-GW-Edition Artemis!Trojan
Sophos Troj/Krypt-ZS
SentinelOne Static AI - Suspicious PE
GData Trojan.GenericKD.67616285
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1325558
Gridinsoft Trojan.Win64.Remcos.bot
Xcitium Malware@#1n5yanpdue0xt
Arcabit Trojan.Generic.D407BE1D
ZoneAlarm HEUR:Trojan-PSW.MSIL.Stealer.gen
Microsoft Trojan:Win32/Remcos.SD!MTB
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5443988
VBA32 Backdoor.RmRAT
ALYac Trojan.GenericKD.67616285
MAX malware (ai score=88)
Malwarebytes Trojan.Crypt.MSIL
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R06EC0XFL23
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:TZFWx9Or41wPYBYImhSbqg)
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.74396735.susgen
Fortinet MSIL/Kryptik.AHQB!tr
AVG Win64:PWSX-gen [Trj]