popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

adobe-explorer.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 21, 2023, 12:58 p.m. July 21, 2023, 1 p.m.
Size 2.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f6637dd80c1bf55fdf7d31f1d857a155
SHA256 930ed2eef19f9a8fe45fc227cefc8d7369ef251c489b592d1f060f506d68bbba
CRC32 3A0DCF84
ssdeep 49152:Ayr13C8ZAInUxXaqHBkuluNH3iYGnFDB9KYl+NVoQ8ngkfWEGWDv3XPjVAjknL2Z:717ZAIwXaqHJluNH3iY+DL6NVX8ngkf6
PDB Path C:\BuildAgent\work\f528c7da27d4599a\Sources\FMStarter\bin\Release\FreemakeVideoConverter.pdb
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
texasgrudgecompany.com
A 5.8.18.42
5.8.18.42
IP Address Status Action
164.124.101.2 Active Moloch
5.8.18.42 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\BuildAgent\work\f528c7da27d4599a\Sources\FMStarter\bin\Release\FreemakeVideoConverter.pdb
section imhkvfk
section .deena
section .brena
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00700000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000ec
process_name: taskhost.exe
process_identifier: 2368
1 1 0

Process32NextW

 snapshot_handle: 0x000000ec
process_name: sdclt.exe
process_identifier: 2376
1 1 0

Process32NextW

 snapshot_handle: 0x000000ec
process_name: adobe-explorer.exe
process_identifier: 2552
1 1 0

Process32NextW

 snapshot_handle: 0x000000f0
process_name: schtasks.exe
process_identifier: 2604
1 1 0

Process32NextW

 snapshot_handle: 0x000002c4
process_name: dllhost.exe
process_identifier: 2656
1 1 0

Process32NextW

 snapshot_handle: 0x000002c4
process_name: pipanel.exe
process_identifier: 2716
1 1 0
section {u'size_of_data': u'0x00035200', u'virtual_address': u'0x0022e000', u'entropy': 7.981965805382141, u'name': u'imhkvfk', u'virtual_size': u'0x000350b8'} entropy 7.98196580538 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000ec
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x000000f0
process_name: schtasks.exe
process_identifier: 2604
0 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: conhost.exe
process_identifier: 2612
0 0

Process32NextW

 snapshot_handle: 0x00000110
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000114
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000118
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000128
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000134
process_name: adobe-explorer.exe
process_identifier: 2552
0 0

Process32NextW

 snapshot_handle: 0x00000138
process_name: adobe-explorer.exe
process_identifier: 2552
0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: ÈuUÐ:WˆPH’w¸[ێ _«z”\ L´ÖK÷ƒoÉøm‚CçîB¼U¡âaÃ{þ|Ьd thàhÈ€€îÂ.textàP.rdataPà.rdata$voltmdhàt.rdata$zzzdbgðP .dataPüœh.bss
base_address: 0x0040e000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: +šö˜Ïø€]sL„̪Á¹¢%óÝ`FŽévåŒt>úÔ¼Yïȋ§½‘¥Êš\ÞúÝôɲ×=OîÒñ-~¨¼ŸÞtÉ«Qõ^Ø=\·«_Õç£7ºÊ!{3ä¦NÒ /ùl†¨.*+'b´÷Š¸Ž\©Á0 VDzÞ`°ç3½ô=óT’xå¸÷9¼XÌþiK 6 >9먗Ñè @'Æñ©äLå"•=/“T¡w^I‹p«ZXv+â ôtm÷¡„##MQ¦ïþsɘ,ÿÿÿÿSOFTWARE\Microsoft\Windows NT\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\RunOnceCSDVersionProductNamex86x64p \/[]*-_:µä[Jú-EœÝ]³Qçëô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.‘fFgÚwË©úÞV¯Ç[fúÆûÚo+ Û5v ø³ó⦴IÝÎzKÅ݌Þf)o@S "-ªt)gò(íÏ]‹R—z¤Ü±£ù¢ ‘y|¨]؆h⇲ÏÑá÷Að‡´ƒ!úÞB›}’-µ]HÍ·¾B\ÔôÄï út}•-¿CH·?¾BԞĽÛþ¨ &ï út¤Ü-ôýpf0HG2ÝÅ]¢~>; ‘¿Á-¸I±úÞÅ¢x¯Mg&têE‚˜Ô²<T«Æ…ú?Þ,Î ¢¹¬[vø€ u9>!gŸ*2DyNÓ¬ÏÞegls0+Ί›öëò ZµÍšY0v"}^lÂ#ß>5ž˜sÚUö+Ê¢VJ5°ïF+ÌSãÁÊZ/QÒ­b2‡r³WZÞ\‡öÝô”îÜ|èìÌ&ØӶǼpˆ- *°r¾‘,~J’$O©éŒš'ÆU&† "1›zÈ\î²Þ\#îçšÚÃývðV՝¤eµ×ìƒe«|pþ!qw2|ëTÄ;ª7^-g‡Ž8FUÑ(ÇKą‘¸kÍKS0Ù8«õ•H û䲉|œìÝþ‹*«ñdµ­À}â©ÙWx¶¨xRÃÖP®áb'·dÜ×®É)„š\QC’ž1ïä_i5Nß;p¨Ún[ª)u‰žNj¼«šHmâTkÀx¡7ä.ë<ƒ; ³Ø8ýyðÜÎf>™kA™Š H›°†:[Sæ·ù üÞÊ[¨íú<].ZòÞ| ]Ôñ±|?ï(|“Zgï£áÍDö4ïaÄ”¤/nõh©P³ü ±G*GVäú>ôމàG)?ðºö^ö–pÉDÇy'ðÈ­OTäր…²ÌŸ~¦‹S«Âéñ•MtÈi¿ùnˆa0‹ì4¯m®ªXz$^¾òp$UØ SZÒûL¬—Ñ¢Až¯ AÜø,‘»–ÑÍÝÔö•Œ¯ÓDÃZ·P †„~ýËK ô¶Kî¢9е[#j%­på4ÊÆë(ŒîûÞ¼ñžk¿óI‘J¨P“¥=ûÚmË«Œƒd"ùé´÷ «â²Q,ñ©·@Üíë.}nˆÆêƒ×_Roτþ:›0f&(øk/ÿZŸÇÓ·†QEPÉo}Èú»î‡ÞÊ"()Set On Error Resume Next = CreateObjectScripting.FileSystemObjectwhile .FileExists.DeleteFile wend.DeleteFolder .DeleteFile(Wscript.ScriptFullName) #Œ8ƒ¸RO[ÌOË¥´´è*ÞlºRmò?®­+DûŸ¨|šëU­¼ŸZip.dll.exe\ [Ctrl + [Ctrl] [Alt + [Alt]() Clipboard Start[Clipboard End]image/jpegUN.vbs.zipMessage
base_address: 0x0040f000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042a000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: `7I7ì79š9£9ª9×9ü95:F:o::Â:Ò:3;D;|;Œ;<&<=4=D=q=«=Æ=Ô=õ= >>!>/>;>D>L>U>g>r>×>ÿ>Á?Ë?0˜’0º0N1_1u1†1©1ö12,2=2V2f22¬2Ë23(3O3`33œ3½3Ì3û3L4‹4¥4Ø5ä5Ç6ì6+7;7‰7´7º7Æ7Ú7à7868C8q8~8Á8ì8 99%9l9J;Y;ƒ;ˆ;•;¡;Ñ;3<_<Ó<ã<‚=Ä=Ï=X>ƒ>‰>_?g?p?@lL12,2^2n2é2ø2F3|3¬3ä3ü3H4W4k4Ø4F5¡5±5.6`6f6«697Z788!888=8Q8V8~8Œ8‘8¢8¹8ç8í8.9ý9:@:P:ô<¶=>z>Õ>Pô¥0131S1†1‹1•1¶1½1Ã1é1ð1ö1 2282c2}2Œ2£2´2Ó2í2ó2ü23$3)383á3í3ü344z4¬4Ã4ç45%5A5K5m5w56&6,6”6À6b7w78Â8Í8c9}9’9¢9º9Ã9Ô9ë9õ9þ9:: :A:L:`:i:©:Ú:à:õ:-;B;Q;Y;h;r;‘;Ÿ;±;·;Ã;Î;æ;ü;<<Q<i<t<™<´<¿<ì<==a=Ÿ=²=Å=Û=Û>?*?;?`?v?‡?²?Æ?Ë?à?ü?`000)0U0b0h0›0¿0Û0à01#1/1;1A1O1X1^1p1U2f2‡2µ2Ó2ù2 33’3³3á34C4Z4b4s44ž4§4¯4»4Å4Ö4å4K5V56R6Y6b6l6|6‚6‹6Â6à6÷67+7H7b7†77 7Æ7;8c8949a9t9®9Î9Ô9`:g:p:z:‰::™:ž:®:}<ƒ<‘=¡=¹=Æ=Ð=Ú=å=ê=ï=û=> >>>)>.>3>_>j>z>š> ?? ?'?G?N?U?[?g?z??ˆ?Ž?§?Ä?Ð?Þ?ä?p<0 00'0.050A0H0R0‘01u2€2ö23 373B3g34 44;4Q4S7Z7q7v7Š7—7¥7¯7¼7Ì7Ö7ã7ð7ú788I8Þ8ê8ñ8ü8 999"9,929=9F9R9]9c9t9~9„9Ž9”9Ÿ9§9¼96:>:D:b:h:s::‹:‘:œ:°:¸:Ç:Í:Ø:ä:÷:ý:;;";1;7;C;I;T;`;x;;¥;¹;Í;Õ;é;ý;<<'<3<:<E<R<]<e<j<t<y<„<<™<¤<ª<»<Å<Ë<Õ<Û<ì<ò<ý<==(=.=:=@=K=W=j=€=Ž=›=µ=Ñ=ò=ø=>>+>]>å>?%?+?e??¥?Â?÷?€l 0D0T0´0Ø0ö0Q1c1u11£1¿1Ê1Ý1ì1ü12 2+212\2d2„22Á2g3m3v3‚3©3 4­4¶4õ455,5<5H5b5«5ô57©7^8g8w8â8í8ø8þ8999)9/999?9I9O9Y9_9i9o9z9†9‘9®9À9Õ9Þ9æ9î9::G:p:y:ˆ::™:±:¾:Ê:Ò:Ý:å:ð:ö:ü:; ;;;/;5;;;E;S;_;k;x;€;Œ;’;Ÿ;©;¹;¿;É;Ï;×;Ü;ç;ï;<<<<$<*<6<B<n<x<<‹<”<¤<´<Ê<Ý<ï<õ<=!=z==Ü=<>Y>f>>•>±>¸>Â>Ï>à>ç>ñ>þ> ???&?+?7?>?J?Q?]?d?n??†?“?š?¦?­?¿?Ê?Ï?à?ë?ñ?þ?¬000+020<0A0M0T0`0g0s0z0„0‰0“0˜0¤0«0·0¾0É0Î0 161=1G1T1o1v1€11¨1¯1¹1Æ1á1è1ò1ÿ122(252M2T2^2k2s2‡2Œ2™2«2²2¾2Å2Ñ2Ø2â2ç2÷2ü23 333$3)33383Z3a3m3t3€3‡3‘364‚45 55"5)555<5H5O5[5b5n5u55ˆ5”5›5§5®5º5Á5Ì5Ø5«6µ6é6î6ô6ú6 7U7_7e7t7À7Ñ7Ö7Ü7â7÷78 888-878@8E8P8V8j8s8µ8¿8È8Í8Ø8Þ8ï8ÿ8999*999G9k9z99Ž9£9­9¶9»9Æ9Ì9Ý9í9ô9:::':1:::?:J:P:]:v:€:‰:Ž:™:Ÿ:°:À:Ç:Ö:Û:ë:ú:; ;;;#;0;\;h;r;};‰;“;§;­;¶;Â;Ì;Õ;á;ë;ô;<©< =d=Í=Û>þ>*? Œé23 33&3G3N3X3k3Œ3“33°3Ñ3Ø3â3õ344'4:4X4_4i4|4‡4ž4£4³4Å4Ì4Ø4ß4é4î4þ45 555!5L5S5_5f5‚5¼5ý566"6)6S6$7²7Ð7î788õ8”93:Ò:q;<°Ä¦3°3¼3Ç3Î3Ø3é3ð3O4Y44–4 4ª4´4¾4È4Î4Ô4Ú4à4æ4í4ô4þ45555,535H5f5œ5§5­5¾5Ù5î5ö5666-676y6Ç6è6ú6†7¦7¶7î7þ7/8N8Ž8°8À8æ8ö899*9e9o9”9à9:B:ö:ü:;;%;¡;Ò;Ú;ê;<!<,<8<><P?d?}?…??•?š?»?á?æ?À<0,0M0r0“0À0Ê04œ4ç4ö45A5P5_5e5¢5²5¸5b6w6}6—6¨6ò67€ 01N1U1€1º162;ž;¼;ã; x9Ì9ì95fØ21q™©¤1zÞ(>aþR(~ úSOg¡Ôp”Óì!YìÐuƒÄé?³Õàë¿RÈq­Ò×S¡\q‰ üvóY•~85*­ªh€œKoH|©$3¸5é•UG÷jËYª™‡ÂYŽr`©ç8Ùií|˜–,ϊ¦0á™9¨3%j²§µ#y_Í¿>$„# ê¯‹VîÖÉÄâü “y.PÖÊ!¯tBfKJ璊¥eÓ¨-Œî¾Ûʞ•Œ½—¯îp«Õ»
base_address: 0x0042b000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: C:\Users\test22\AppData\Roaming\exgssi.exe
base_address: 0x000f0000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x77010234
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x77010230
process_identifier: 2716
process_handle: 0x000002bc
1 1 0
MicroWorld-eScan Trojan.GenericKD.68273325
BitDefender Trojan.GenericKD.68273325
Avast Win32:Malware-gen
Emsisoft Trojan.GenericKD.68273325 (B)
McAfee-GW-Edition Artemis
FireEye Trojan.GenericKD.68273325
GData Win32.Backdoor.Parallax.W3L1QB
Gridinsoft Trojan.Win32.Gen.bot
Microsoft Trojan:Win32/Sonbokli.A!cl
McAfee Artemis!F6637DD80C1B
MAX malware (ai score=86)
TrendMicro-HouseCall TROJ_GEN.F0D1C00GK23
Fortinet Malicious_Behavior.SB
AVG Win32:Malware-gen
file C:\Users\test22\AppData\Roaming\exgssi.exe:Zone.Identifier
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2720
thread_handle: 0x000002b8
process_identifier: 2716
current_directory:
filepath: C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\adobe-explorer.exe"
filepath_r: C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 1
process_handle: 0x000002bc
1 1 0

NtGetContextThread

 thread_handle: 0x000002b8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: ÈuUÐ:WˆPH’w¸[ێ _«z”\ L´ÖK÷ƒoÉøm‚CçîB¼U¡âaÃ{þ|Ьd thàhÈ€€îÂ.textàP.rdataPà.rdata$voltmdhàt.rdata$zzzdbgðP .dataPüœh.bss
base_address: 0x0040e000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: +šö˜Ïø€]sL„̪Á¹¢%óÝ`FŽévåŒt>úÔ¼Yïȋ§½‘¥Êš\ÞúÝôɲ×=OîÒñ-~¨¼ŸÞtÉ«Qõ^Ø=\·«_Õç£7ºÊ!{3ä¦NÒ /ùl†¨.*+'b´÷Š¸Ž\©Á0 VDzÞ`°ç3½ô=óT’xå¸÷9¼XÌþiK 6 >9먗Ñè @'Æñ©äLå"•=/“T¡w^I‹p«ZXv+â ôtm÷¡„##MQ¦ïþsɘ,ÿÿÿÿSOFTWARE\Microsoft\Windows NT\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\RunOnceCSDVersionProductNamex86x64p \/[]*-_:µä[Jú-EœÝ]³Qçëô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.ô|UÓšsøó.‘fFgÚwË©úÞV¯Ç[fúÆûÚo+ Û5v ø³ó⦴IÝÎzKÅ݌Þf)o@S "-ªt)gò(íÏ]‹R—z¤Ü±£ù¢ ‘y|¨]؆h⇲ÏÑá÷Að‡´ƒ!úÞB›}’-µ]HÍ·¾B\ÔôÄï út}•-¿CH·?¾BԞĽÛþ¨ &ï út¤Ü-ôýpf0HG2ÝÅ]¢~>; ‘¿Á-¸I±úÞÅ¢x¯Mg&têE‚˜Ô²<T«Æ…ú?Þ,Î ¢¹¬[vø€ u9>!gŸ*2DyNÓ¬ÏÞegls0+Ί›öëò ZµÍšY0v"}^lÂ#ß>5ž˜sÚUö+Ê¢VJ5°ïF+ÌSãÁÊZ/QÒ­b2‡r³WZÞ\‡öÝô”îÜ|èìÌ&ØӶǼpˆ- *°r¾‘,~J’$O©éŒš'ÆU&† "1›zÈ\î²Þ\#îçšÚÃývðV՝¤eµ×ìƒe«|pþ!qw2|ëTÄ;ª7^-g‡Ž8FUÑ(ÇKą‘¸kÍKS0Ù8«õ•H û䲉|œìÝþ‹*«ñdµ­À}â©ÙWx¶¨xRÃÖP®áb'·dÜ×®É)„š\QC’ž1ïä_i5Nß;p¨Ún[ª)u‰žNj¼«šHmâTkÀx¡7ä.ë<ƒ; ³Ø8ýyðÜÎf>™kA™Š H›°†:[Sæ·ù üÞÊ[¨íú<].ZòÞ| ]Ôñ±|?ï(|“Zgï£áÍDö4ïaÄ”¤/nõh©P³ü ±G*GVäú>ôމàG)?ðºö^ö–pÉDÇy'ðÈ­OTäր…²ÌŸ~¦‹S«Âéñ•MtÈi¿ùnˆa0‹ì4¯m®ªXz$^¾òp$UØ SZÒûL¬—Ñ¢Až¯ AÜø,‘»–ÑÍÝÔö•Œ¯ÓDÃZ·P †„~ýËK ô¶Kî¢9е[#j%­på4ÊÆë(ŒîûÞ¼ñžk¿óI‘J¨P“¥=ûÚmË«Œƒd"ùé´÷ «â²Q,ñ©·@Üíë.}nˆÆêƒ×_Roτþ:›0f&(øk/ÿZŸÇÓ·†QEPÉo}Èú»î‡ÞÊ"()Set On Error Resume Next = CreateObjectScripting.FileSystemObjectwhile .FileExists.DeleteFile wend.DeleteFolder .DeleteFile(Wscript.ScriptFullName) #Œ8ƒ¸RO[ÌOË¥´´è*ÞlºRmò?®­+DûŸ¨|šëU­¼ŸZip.dll.exe\ [Ctrl + [Ctrl] [Alt + [Alt]() Clipboard Start[Clipboard End]image/jpegUN.vbs.zipMessage
base_address: 0x0040f000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00417000
process_identifier: 2716
process_handle: 0x000002bc
0 0

WriteProcessMemory

 buffer:
base_address: 0x00418000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042a000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: `7I7ì79š9£9ª9×9ü95:F:o::Â:Ò:3;D;|;Œ;<&<=4=D=q=«=Æ=Ô=õ= >>!>/>;>D>L>U>g>r>×>ÿ>Á?Ë?0˜’0º0N1_1u1†1©1ö12,2=2V2f22¬2Ë23(3O3`33œ3½3Ì3û3L4‹4¥4Ø5ä5Ç6ì6+7;7‰7´7º7Æ7Ú7à7868C8q8~8Á8ì8 99%9l9J;Y;ƒ;ˆ;•;¡;Ñ;3<_<Ó<ã<‚=Ä=Ï=X>ƒ>‰>_?g?p?@lL12,2^2n2é2ø2F3|3¬3ä3ü3H4W4k4Ø4F5¡5±5.6`6f6«697Z788!888=8Q8V8~8Œ8‘8¢8¹8ç8í8.9ý9:@:P:ô<¶=>z>Õ>Pô¥0131S1†1‹1•1¶1½1Ã1é1ð1ö1 2282c2}2Œ2£2´2Ó2í2ó2ü23$3)383á3í3ü344z4¬4Ã4ç45%5A5K5m5w56&6,6”6À6b7w78Â8Í8c9}9’9¢9º9Ã9Ô9ë9õ9þ9:: :A:L:`:i:©:Ú:à:õ:-;B;Q;Y;h;r;‘;Ÿ;±;·;Ã;Î;æ;ü;<<Q<i<t<™<´<¿<ì<==a=Ÿ=²=Å=Û=Û>?*?;?`?v?‡?²?Æ?Ë?à?ü?`000)0U0b0h0›0¿0Û0à01#1/1;1A1O1X1^1p1U2f2‡2µ2Ó2ù2 33’3³3á34C4Z4b4s44ž4§4¯4»4Å4Ö4å4K5V56R6Y6b6l6|6‚6‹6Â6à6÷67+7H7b7†77 7Æ7;8c8949a9t9®9Î9Ô9`:g:p:z:‰::™:ž:®:}<ƒ<‘=¡=¹=Æ=Ð=Ú=å=ê=ï=û=> >>>)>.>3>_>j>z>š> ?? ?'?G?N?U?[?g?z??ˆ?Ž?§?Ä?Ð?Þ?ä?p<0 00'0.050A0H0R0‘01u2€2ö23 373B3g34 44;4Q4S7Z7q7v7Š7—7¥7¯7¼7Ì7Ö7ã7ð7ú788I8Þ8ê8ñ8ü8 999"9,929=9F9R9]9c9t9~9„9Ž9”9Ÿ9§9¼96:>:D:b:h:s::‹:‘:œ:°:¸:Ç:Í:Ø:ä:÷:ý:;;";1;7;C;I;T;`;x;;¥;¹;Í;Õ;é;ý;<<'<3<:<E<R<]<e<j<t<y<„<<™<¤<ª<»<Å<Ë<Õ<Û<ì<ò<ý<==(=.=:=@=K=W=j=€=Ž=›=µ=Ñ=ò=ø=>>+>]>å>?%?+?e??¥?Â?÷?€l 0D0T0´0Ø0ö0Q1c1u11£1¿1Ê1Ý1ì1ü12 2+212\2d2„22Á2g3m3v3‚3©3 4­4¶4õ455,5<5H5b5«5ô57©7^8g8w8â8í8ø8þ8999)9/999?9I9O9Y9_9i9o9z9†9‘9®9À9Õ9Þ9æ9î9::G:p:y:ˆ::™:±:¾:Ê:Ò:Ý:å:ð:ö:ü:; ;;;/;5;;;E;S;_;k;x;€;Œ;’;Ÿ;©;¹;¿;É;Ï;×;Ü;ç;ï;<<<<$<*<6<B<n<x<<‹<”<¤<´<Ê<Ý<ï<õ<=!=z==Ü=<>Y>f>>•>±>¸>Â>Ï>à>ç>ñ>þ> ???&?+?7?>?J?Q?]?d?n??†?“?š?¦?­?¿?Ê?Ï?à?ë?ñ?þ?¬000+020<0A0M0T0`0g0s0z0„0‰0“0˜0¤0«0·0¾0É0Î0 161=1G1T1o1v1€11¨1¯1¹1Æ1á1è1ò1ÿ122(252M2T2^2k2s2‡2Œ2™2«2²2¾2Å2Ñ2Ø2â2ç2÷2ü23 333$3)33383Z3a3m3t3€3‡3‘364‚45 55"5)555<5H5O5[5b5n5u55ˆ5”5›5§5®5º5Á5Ì5Ø5«6µ6é6î6ô6ú6 7U7_7e7t7À7Ñ7Ö7Ü7â7÷78 888-878@8E8P8V8j8s8µ8¿8È8Í8Ø8Þ8ï8ÿ8999*999G9k9z99Ž9£9­9¶9»9Æ9Ì9Ý9í9ô9:::':1:::?:J:P:]:v:€:‰:Ž:™:Ÿ:°:À:Ç:Ö:Û:ë:ú:; ;;;#;0;\;h;r;};‰;“;§;­;¶;Â;Ì;Õ;á;ë;ô;<©< =d=Í=Û>þ>*? Œé23 33&3G3N3X3k3Œ3“33°3Ñ3Ø3â3õ344'4:4X4_4i4|4‡4ž4£4³4Å4Ì4Ø4ß4é4î4þ45 555!5L5S5_5f5‚5¼5ý566"6)6S6$7²7Ð7î788õ8”93:Ò:q;<°Ä¦3°3¼3Ç3Î3Ø3é3ð3O4Y44–4 4ª4´4¾4È4Î4Ô4Ú4à4æ4í4ô4þ45555,535H5f5œ5§5­5¾5Ù5î5ö5666-676y6Ç6è6ú6†7¦7¶7î7þ7/8N8Ž8°8À8æ8ö899*9e9o9”9à9:B:ö:ü:;;%;¡;Ò;Ú;ê;<!<,<8<><P?d?}?…??•?š?»?á?æ?À<0,0M0r0“0À0Ê04œ4ç4ö45A5P5_5e5¢5²5¸5b6w6}6—6¨6ò67€ 01N1U1€1º162;ž;¼;ã; x9Ì9ì95fØ21q™©¤1zÞ(>aþR(~ úSOg¡Ôp”Óì!YìÐuƒÄé?³Õàë¿RÈq­Ò×S¡\q‰ üvóY•~85*­ªh€œKoH|©$3¸5é•UG÷jËYª™‡ÂYŽr`©ç8Ùií|˜–,ϊ¦0á™9¨3%j²§µ#y_Í¿>$„# ê¯‹VîÖÉÄâü “y.PÖÊ!¯tBfKJ璊¥eÓ¨-Œî¾Ûʞ•Œ½—¯îp«Õ»
base_address: 0x0042b000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002bc
1 0 0

WriteProcessMemory

 buffer: C:\Users\test22\AppData\Roaming\exgssi.exe
base_address: 0x000f0000
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x77010234
process_identifier: 2716
process_handle: 0x000002bc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x77010230
process_identifier: 2716
process_handle: 0x000002bc
1 1 0