popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

c35f4ebfa52e9f721f843eac4e01e981.exe

AgentTesla email stealer .NET framework(MSIL) Downloader Code injection Socket Escalate priviledges persistence PWS KeyLogger Sniff Audio DNS ScreenShot AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 4, 2023, 4:11 p.m. July 4, 2023, 4:14 p.m.
Size 804.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c35f4ebfa52e9f721f843eac4e01e981
SHA256 41a043754970c26089f019e1a5697f5c313b04a50edd76ade835d7e78c4c1658
CRC32 4817595F
ssdeep 12288:nqmfOzGV2umg0UnNNeXIy3zCSkwhLwzMFt4IR4fNF74eSEXGe/XQbLtzHbMU4F+y:nFfO0BmgNivxzLwIFt4pNFY6
Yara
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Win_Trojan_AgentTesla_IN_Zero - Win Trojan AgentTesla
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
microsoft.com
A 20.236.44.162
A 20.76.201.171
A 20.70.246.20
A 20.231.239.246
A 20.112.250.133
20.112.250.133
IP Address Status Action
164.124.101.2 Active Moloch
194.147.140.197 Active Moloch
20.236.44.162 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49172 -> 20.236.44.162:80 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 194.147.140.197:3601 -> 192.168.56.101:49171 2038897 ET MALWARE Warzone RAT Response (Inbound) A Network Trojan was detected
TCP 194.147.140.197:3601 -> 192.168.56.101:49171 2038897 ET MALWARE Warzone RAT Response (Inbound) A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\tjEyktR
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: B.exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\tjEyktRB" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d05a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d06a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0160
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0a20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d02a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003d0f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00aa0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00591000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00592000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00593000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00594000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00595000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00596000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a8e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a8e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6b000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 20\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 15\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 9\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 16\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 14\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 19\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Temp\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file C:\Users\test22\AppData\Local\Temp\mozglue.dll
file C:\Users\test22\AppData\Local\Temp\nss3.dll
file C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\freebl3.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\tjEyktRB.exe"
cmdline schtasks.exe /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\tjEyktRB.exe"
wmi
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\tjEyktRB.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
filepath: schtasks.exe
1 1 0
section {u'size_of_data': u'0x000bce00', u'virtual_address': u'0x00002000', u'entropy': 7.485755695982604, u'name': u'.text', u'virtual_size': u'0x000bcce4'} entropy 7.48575569598 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000c000', u'virtual_address': u'0x000c0000', u'entropy': 7.961721139250695, u'name': u'.rsrc', u'virtual_size': u'0x0000bf98'} entropy 7.96172113925 description A section with a high entropy has been found
entropy 0.999378109453 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://microsoft.com/
description Communications over RAW Socket rule Network_TCP_Socket
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Install itself for autorun at Windows startup rule Persistence
description email clients info stealer rule infoStealer_emailClients_Zero
description Run a KeyLogger rule KeyLogger
cmdline schtasks.exe /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
host 194.147.140.197
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 1425408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003fc
1 0 0
description c35f4ebfa52e9f721f843eac4e01e981.exe tried to sleep 2728503 seconds, actually delayed analysis time by 2728503 seconds
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÉWdE¨97E¨97E¨97†§f7D¨97QÃ>6D¨97†§d7G¨97QÃ=6F¨97bnT7D¨97bnW7@¨97@¤67A¨97QÃ?6D¨97QÃ86f¨97E¨87F©97ÄÑ06¨97ÄÑÆ7D¨97ÄÑ;6D¨97RichE¨97PEL±dà êžg @À@…Ýh`p,T@Û .textۏ `.rdataŽS T”@@.data¸Qè@À.rsrcp,`.î@@.relocT@B.bss°2@@
base_address: 0x00400000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: @$@8@G@V@e@t@–@¸@Ú@ü@/@E@g@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(`B`BU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃÈÒAd
base_address: 0x00420000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: 2½™²Ô ’K-Øì¤Äͱ5UüÐíšV唇cZeí·G¿Ê„”jÄ¥2Š4C# hÃ̊Ãòí܌O7‡J6T~ÀžI¨f8’¬R†+W”;\i­XäAÅ~I~Æcw׸õ'þߓ>:SWäŠþ^smîIÈ°H­p¾é…NE™€fˆ?TFΒ¨ëÈR¢¥7S§l£
base_address: 0x0055b000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 604
process_handle: 0x000003fc
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÉWdE¨97E¨97E¨97†§f7D¨97QÃ>6D¨97†§d7G¨97QÃ=6F¨97bnT7D¨97bnW7@¨97@¤67A¨97QÃ?6D¨97QÃ86f¨97E¨87F©97ÄÑ06¨97ÄÑÆ7D¨97ÄÑ;6D¨97RichE¨97PEL±dà êžg @À@…Ýh`p,T@Û .textۏ `.rdataŽS T”@@.data¸Qè@À.rsrcp,`.î@@.relocT@B.bss°2@@
base_address: 0x00400000
process_identifier: 604
process_handle: 0x000003fc
1 1 0
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Process injection Process 2560 called NtSetContextThread to modify thread in remote process 604
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4220830
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003f4
process_identifier: 604
1 0 0
file C:\Users\test22\AppData\Local\Temp\c35f4ebfa52e9f721f843eac4e01e981.exe:Zone.Identifier
Process injection Process 2560 resumed a thread in remote process 604
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 604
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2560
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2560
1 0 0

CreateProcessInternalW

 thread_identifier: 2960
thread_handle: 0x00000444
process_identifier: 2956
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\tjEyktRB.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000044c
1 1 0

CreateProcessInternalW

 thread_identifier: 3008
thread_handle: 0x00000404
process_identifier: 3004
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjEyktRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp9A47.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000044c
1 1 0

CreateProcessInternalW

 thread_identifier: 812
thread_handle: 0x000003f4
process_identifier: 604
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\c35f4ebfa52e9f721f843eac4e01e981.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\c35f4ebfa52e9f721f843eac4e01e981.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000003fc
1 1 0

NtGetContextThread

 thread_handle: 0x000003f4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 1425408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003fc
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÉWdE¨97E¨97E¨97†§f7D¨97QÃ>6D¨97†§d7G¨97QÃ=6F¨97bnT7D¨97bnW7@¨97@¤67A¨97QÃ?6D¨97QÃ86f¨97E¨87F©97ÄÑ06¨97ÄÑÆ7D¨97ÄÑ;6D¨97RichE¨97PEL±dà êžg @À@…Ýh`p,T@Û .textۏ `.rdataŽS T”@@.data¸Qè@À.rsrcp,`.î@@.relocT@B.bss°2@@
base_address: 0x00400000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041a000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: @$@8@G@V@e@t@–@¸@Ú@ü@/@E@g@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(`B`BU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃÈÒAd
base_address: 0x00420000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00556000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00559000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: 2½™²Ô ’K-Øì¤Äͱ5UüÐíšV唇cZeí·G¿Ê„”jÄ¥2Š4C# hÃ̊Ãòí܌O7‡J6T~ÀžI¨f8’¬R†+W”;\i­XäAÅ~I~Æcw׸õ'þߓ>:SWäŠþ^smîIÈ°H­p¾é…NE™€fˆ?TFΒ¨ëÈR¢¥7S§l£
base_address: 0x0055b000
process_identifier: 604
process_handle: 0x000003fc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 604
process_handle: 0x000003fc
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4220830
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003f4
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x000004a4
suspend_count: 1
process_identifier: 2956
1 0 0
Lionic Trojan.Win32.Taskun.4!c
tehtris Generic.Malware
ALYac Gen:Variant.MSILHeracles.85961
Cylance unsafe
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 005a7f2e1 )
Alibaba Trojan:MSIL/AgentTesla.30d27f80
K7GW Trojan ( 005a7f2e1 )
Cybereason malicious.91c1ea
VirIT Trojan.Win32.MSIL_Heur.A
Cyren W32/MSIL_Agent.FPI.gen!Eldorado
Symantec Scr.Malcode!gdn34
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Kryptik_AGen.AZJ
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Gen:Variant.MSILHeracles.85961
MicroWorld-eScan Gen:Variant.MSILHeracles.85961
Avast Win32:RATX-gen [Trj]
Tencent Malware.Win32.Gencirc.13e223a0
Emsisoft Gen:Variant.MSILHeracles.85961 (B)
F-Secure Heuristic.HEUR/AGEN.1310827
DrWeb Trojan.Siggen21.2650
VIPRE Gen:Variant.MSILHeracles.85961
TrendMicro Backdoor.Win32.WARZONE.YXDF4Z
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
FireEye Generic.mg.c35f4ebfa52e9f72
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
GData Gen:Variant.MSILHeracles.85961
Avira HEUR/AGEN.1310827
Antiy-AVL Trojan/MSIL.Kryptik
Arcabit Trojan.MSILHeracles.D14FC9
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
Microsoft Trojan:MSIL/AgentTesla.RCK!MTB
Google Detected
McAfee Artemis!C35F4EBFA52E
MAX malware (ai score=85)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.MalPack.PNG
Panda Trj/Chgt.AD
TrendMicro-HouseCall Backdoor.Win32.WARZONE.YXDF4Z
Rising Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:Okucsq0zxg9lprBreNMFYg)
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Agent.PWSX!tr
BitDefenderTheta Gen:NN.ZemsilF.36270.Ym0@a4zGrWf
AVG Win32:RATX-gen [Trj]
DeepInstinct MALICIOUS