popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

choileety.exe

Backdoor Client SW User Data Stealer RemcosRAT info stealer Generic Malware browser Google Chrome User Data Downloader Antivirus Admin Tool (Sysinternals etc ...) Socket Escalate priviledges Sniff Audio Create Service Internet API DNS PWS ScreenShot
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 20, 2023, 7:40 a.m. July 20, 2023, 7:44 a.m.
Size 705.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 da9534900ee0d11c9b30cf33152ea03c
SHA256 ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f
CRC32 372C75E7
ssdeep 12288:k8/HoptmKv8x10D+dHr73q/6pd7UB5k6d5EK7IS5SE/84a:1x1eML76ypZ/6d5bSIO
PDB Path C:\Users\Administrator\Desktop\legadis\choileety\choileety\obj\Debug\choileety.pdb
Yara
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
91.192.100.10 Active Moloch
91.103.252.31 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Remove' is not recognized as the name of a cmdlet, function, script f
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ile, or operable program. Check the spelling of the name, or if a path was incl
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: uded, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:7
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Remove <<<< -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVer
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: sion\Run' -Name 'timer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Window
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: s\CurrentVersion\Run' -Name 'timer' -Value 'C:\Users\test22\AppData\Local\Micro
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: soft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe' -Prop
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ertyType 'String'
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Remove:String) [], CommandNotFo
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: undException
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: icrosoft\Windows\CurrentVersion\Run
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: icrosoft\Windows\CurrentVersion
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: PSChildName : Run
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: PSDrive : HKCU
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: PSProvider : Microsoft.PowerShell.Core\Registry
console_handle: 0x000000db
1 1 0

WriteConsoleW

 buffer: timer : C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Intern
console_handle: 0x000000df
1 1 0

WriteConsoleW

 buffer: et Files\timer\Wsfghjklkjhgfd.exe\timer.exe
console_handle: 0x000000e3
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ca88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057d048
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c288
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057c3c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057cf88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0057ce88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\Users\Administrator\Desktop\legadis\choileety\choileety\obj\Debug\choileety.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1460
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1460
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00595000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00597000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00546000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a1e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1460
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db4000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02810000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02811000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02812000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0252b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02527000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02525000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0252c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02513000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description MSBuild.exe tried to sleep 347 seconds, actually delayed analysis time by 347 seconds
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer' -Value '"C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe"' -PropertyType 'String'
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x0000023c
process_identifier: 2520
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer' -Value '"C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe"' -PropertyType 'String'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000238
1 1 0
section {u'size_of_data': u'0x0009f000', u'virtual_address': u'0x00002000', u'entropy': 7.9227735875538565, u'name': u'.text', u'virtual_size': u'0x0009efe4'} entropy 7.92277358755 description A section with a high entropy has been found
entropy 0.902767920511 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description Win Backdoor RemcosRAT rule Win_Backdoor_RemcosRAT
description Communications over RAW Socket rule Network_TCP_Socket
description browser info stealer rule infoStealer_browser_Zero
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
cmdline "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer' -Value '"C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe"' -PropertyType 'String'
buffer Buffer with sha1: 8a7a16e1bb29ef6a29ec7e71bdc776d6bdfda170
buffer Buffer with sha1: 3e507a798c474a518a7dfa925906a36e9852bc98
host 91.192.100.10
host 91.103.252.31
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2332
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\timer reg_value C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x00400000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x00470000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x00476000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x00477000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2332
process_handle: 0x00000234
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x00400000
process_identifier: 2332
process_handle: 0x00000234
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a1cb
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 197075 0
Process injection Process 1460 called NtSetContextThread to modify thread in remote process 2332
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4408333
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2332
1 0 0
Process injection Process 1460 resumed a thread in remote process 2332
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2332
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1460
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 1460
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1460
1 0 0

CreateProcessInternalW

 thread_identifier: 2336
thread_handle: 0x00000230
process_identifier: 2332
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000234
1 1 0

NtGetContextThread

 thread_handle: 0x00000230
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2332
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€$KÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrc$K€Lþ@@.relocH;Ð<J@B
base_address: 0x00400000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00458000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x00470000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x00476000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x00477000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00478000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0047d000
process_identifier: 2332
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2332
process_handle: 0x00000234
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4408333
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2332
1 0 0

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2332
1 0 0

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x0000023c
process_identifier: 2520
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'timer' -Value '"C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\timer\Wsfghjklkjhgfd.exe\timer.exe"' -PropertyType 'String'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000238
1 1 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2520
1 0 0

NtResumeThread

 thread_handle: 0x00000300
suspend_count: 1
process_identifier: 2520
1 0 0

NtResumeThread

 thread_handle: 0x0000044c
suspend_count: 1
process_identifier: 2520
1 0 0

NtResumeThread

 thread_handle: 0x000004ac
suspend_count: 1
process_identifier: 2520
1 0 0
Bkav W32.Common.B94E7401
Lionic Trojan.Win32.Seraph.4!c
MicroWorld-eScan Trojan.GenericKD.68242180
FireEye Trojan.GenericKD.68242180
McAfee Artemis!DA9534900EE0
Cylance unsafe
Sangfor Downloader.Msil.Remcos.Vc86
Alibaba Trojan:MSIL/Kryptik.e4cf898b
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D4114BA1
Cyren W32/ABRisk.FDWN-0573
Symantec Trojan Horse
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Kryptik.PMW
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender Trojan.GenericKD.68242180
Avast Win32:CrypterX-gen [Trj]
Tencent Msil.Trojan-Downloader.Seraph.Timw
Emsisoft Trojan.GenericKD.68242180 (B)
F-Secure Trojan.TR/AD.Remcos.zgvdr
VIPRE Trojan.GenericKD.68242337
McAfee-GW-Edition BehavesLike.Win32.Generic.bc
Trapmine suspicious.low.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.GenKD
Avira TR/AD.Remcos.zgvdr
Antiy-AVL Trojan/MSIL.Kryptik
Xcitium Malware@#e4dafy8x064c
Microsoft Trojan:MSIL/Remcos.AAR!MTB
ZoneAlarm HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData Win32.Backdoor.Remcos.WW1L0M
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5418723
BitDefenderTheta Gen:NN.ZemsilF.36318.Sm0@a4DkTDj
ALYac Trojan.GenericKD.68242337
MAX malware (ai score=82)
Malwarebytes Malware.AI.1391334785
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0DGI23
Rising Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:SkVHGLsQAtmY2FH9+n4a+A)
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/GenKryptik.GKZJ!tr
AVG Win32:CrypterX-gen [Trj]
Cybereason malicious.61fd69
DeepInstinct MALICIOUS
dead_host 192.168.56.103:49193
dead_host 192.168.56.103:49181
dead_host 192.168.56.103:49190
dead_host 192.168.56.103:49177
dead_host 192.168.56.103:49186
dead_host 91.192.100.10:11010
dead_host 192.168.56.103:49174
dead_host 192.168.56.103:49167
dead_host 192.168.56.103:49191
dead_host 192.168.56.103:49194
dead_host 192.168.56.103:49182
dead_host 192.168.56.103:49187
dead_host 192.168.56.103:49175
dead_host 192.168.56.103:49178
dead_host 192.168.56.103:49171
dead_host 192.168.56.103:49188
dead_host 192.168.56.103:49195
dead_host 192.168.56.103:49183
dead_host 192.168.56.103:49184
dead_host 192.168.56.103:49172
dead_host 192.168.56.103:49165
dead_host 192.168.56.103:49179
dead_host 192.168.56.103:49196
dead_host 192.168.56.103:49168
dead_host 192.168.56.103:49189
dead_host 192.168.56.103:49192
dead_host 192.168.56.103:49180
dead_host 192.168.56.103:49185
dead_host 192.168.56.103:49173
dead_host 192.168.56.103:49176
dead_host 192.168.56.103:49197