popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

xnnwljxxbbawjwlmac.exe

Generic Malware email stealer .NET framework(MSIL) Downloader Antivirus Possible Infostealer Activity Code injection Socket Escalate priviledges PWS KeyLogger Internet API DNS persistence AntiDebug PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Feb. 13, 2024, 12:17 p.m. Feb. 13, 2024, 12:19 p.m.
Size 870.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 0c74bc9529b8d9f96fc7e1b47559abd1
SHA256 bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
CRC32 B0BCC5D9
ssdeep 24576:B44dBZcMzXROOhbXxHZCnkgDAN1jtyhfz87brh8:zdBZNzXROUtHZKu1+fz87h
PDB Path WYScNRo.pdb
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
makatti.duckdns.org
A 94.156.68.226
94.156.68.226
IP Address Status Action
164.124.101.2 Active Moloch
94.156.68.226 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\IDXJRvJ
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: UpAIjP.exe
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\IDXJRvJUpAIjP" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8e30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8770
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e8f70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e91f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e94f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e92b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006e9330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path WYScNRo.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain makatti.duckdns.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00840000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00372000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00397000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00601000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00396000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00603000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00604000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00605000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00606000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00607000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00608000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00609000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02450000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ef21000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ef22000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02471000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02472000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0254a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02523000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2436
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02524000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
cmdline schtasks.exe /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\IDXJRvJUpAIjP.exe"
cmdline powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\IDXJRvJUpAIjP.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\IDXJRvJUpAIjP.exe"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
filepath: schtasks.exe
1 1 0
section {u'size_of_data': u'0x000d2600', u'virtual_address': u'0x00002000', u'entropy': 7.436617765607363, u'name': u'.text', u'virtual_size': u'0x000d251c'} entropy 7.43661776561 description A section with a high entropy has been found
entropy 0.96724137931 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications over RAW Socket rule Network_TCP_Socket
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Possible Infostealer Activity rule Possible_Infostealer_Activity_m
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description email clients info stealer rule infoStealer_emailClients_Zero
description Run a KeyLogger rule KeyLogger
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
cmdline schtasks.exe /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2584
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003e8
1 0 0
file C:\Users\test22\AppData\Local\Temp\tmpF586.tmp
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ö2iK·\:K·\:K·\:ˆ¸:J·\:BÏØ:J·\:BÏÏ:W·\:K·]:•·\:ˆ¸:H·\:BÏß:I·\:lq1:J·\:lq2:H·\:N»S:J·\:ÚÞU;"·\:ÚÞ£:J·\:ÚÞ^;J·\:RichK·\:PELÇPˆ\à –8W @Ð@…\I€p,°d àG @.text `.rdataò: <@@.data@`D@À.rsrcp,€.J@@.relocd °x@B.bssÀ†@@
base_address: 0x00400000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: m@@ž@­@¼@Ë@Ú@ü@ @ @™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(H»ï¾­Þï¾­ÞH¸ï¾­Þï¾­Þÿã¸ï¾­Þéï¾­ÞU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃÄ;Ad
base_address: 0x00416000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: „Š00 0µ0¼0É0Ð0o1u1|1ƒ1Š1•1¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;‡;˜;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<¥>Ç>Ï> dê0Ð1_4j4Ÿ4µ4À4Ü4é4ù4%5,5£5É5Ü5û5m6Ú6ý677u7ð78•8¯8Ñ8õ8û8?9€9Ë9 ;P;Ã;È;Õ;ã;õ;[>’>½>?0?~?Ï?0À000N0U0-1A1V1u111°1â1$2›2ï2I3t3¶3Í3è34‹5Î5 6!616|6Œ6–66¦6¾6ö67'7A7K7W7^7j7q7}7„77—7Ü7î7 88]8k8|8Ô8æ8í8ù899!91989D9K9W9^9ã9þ9S:Z:a:j:è:ï:ý:;J;Q;X;a;²;Ø;/<A<N<÷<G=Ý=>¿>å>½?ê?@x«0Ø0´1ú1+3X3ˆ3Ž3Ô3Û3Ï45e5Ï5K6]6¼6ë6737<7¯8á9:S;p;‘;²;Ì;é;<s<™<¶<Ó<ð< =.=K=«=²=Ø=ß=ù=>3>P>m>×>í>??<?R?ú?P€/080X0§01&1t1ã2ú2 303<3f3—3½4Î4í6ô6û6777"7'737A77š7Ÿ7¬7Á7È7Ö7Ü7æ7%8+828<8L8S8o8ˆ89989?9I9P9Z9a9®9µ9Á9Ç9Ì9Ó9á9æ9ò9`«>?¥?plˆ0Ú0·1¿1Ý1†3Œ3°3Ä3Ö3Û3á3é3ö34&454A4R4k4q4{4‚4Š44œ4¦45+505:5D5N5X5b5l5v5€5Š5˜5Ÿ5Ã5á5è5>6H6R6t6~6ˆ6±6»6Å6Ï6Ù6ö67 77d7n7x7‚7«7°7µ7È7Í7Ò7Ù7æ7ë7ð7$8)8.888=8B8O8T8Y8f8k8p8}8‚8‡8¸8Å8Ê8Ï8Ü8á8æ8ó8ø899!9%9)9-9195999=9A9E9_9‘9¤9¼9Õ9î9û9::8:Z:_:{:::œ:¦:±:Ê:Õ:Ú:é:õ: ;;;†;£;Ù;ö;<3<[<m<¾<Ø<ð<ú<%=E=J=e=k=q=‰=‘=—=¢=®=´=¿=Ù=ä=é=õ=û=>>>$><>M>W>`>ƒ>²>ô>…?Ÿ?€@$0:0½0ä0÷01 1%1+131;1F1K1o1„1‰1²1 2,2G2w2~2„2§2À2Æ2Ð2å2ï2 33=3H3u33ˆ3”3 3ª3°3¶3Æ3Î3Ô3Ú3å3í3ô3ú34 4444)4?4J4V4[4b4l4r4{44†4Ž4™4ª4¯4µ4Å4Ö4Û4á4æ4ì4ö4ü45555!5'5.5;5@5L5Q5^5c5¾5%62696F6v6}6K8Í8Ø8ì8ö8ÿ8 929:9@9K9i9“9¡9Ç9ð9,:P:¡:¦:«:²:;";2;B;R;b;r;‚;’;¢;²;Â;1<D<T<a<q<~<Ž<›<²<Õ<==.=;=O==0>5>|>À>?H?Œ?ù?tf0Ó0p1¦1Ö1Ý1ø1>2g2¢2»2È2ÿ2—3¯3Ø3ò3Y4©4é4 5_6Ý6ä647w7‘7ž7¯7Ó7ì7ù7;8Ó8ë89.9•9å9%:b:­;+<2<<½< =I=•=Ç=ú=â>? È0f0m0u0Š0œ0²0È0ó0=1À1É1Î1ç12222K2d2}2œ2·2ú23L3´3Ä3×3ê3ý34#464I4e4¹4?5í5ù5 66)696I6Y6d6w6‚6˜6´6Ð6ì67X8ó8ø89*9C9\9u9Ž9§9À9á9ú9;:V:‘:;);<;O;b;u;ˆ;›;®;Ê;< <.<G<[<d<m<:=Ê=ß=> >1>C>­?È?°ø1 111-12171A1U1Z1_1m1u1|1‚1‘1›1 1§1¸1À1Ç1Î1Õ1Ü1ã1D2±2Õ2$3|3Š3›3Å34/454:4E4J4U4Z4d4z4ª4¾4÷455/595F5M5S5X5¡5Â5é5ò566-6;6U6^6s6€66—6©6²6À6Ý6ç67 77&7G7R7e7’7Ÿ7¬7¹7Æ7Ó78—8ì8š9¬9Â9;1;I;°;É;<)<3<A<ú<=E==Ž=>>:>K>>•>£>É>Ö>r?˜?¥?ñ?ÀD60T0ô0É1Ú142ƒ2ç2'3Q3]3e3o3u3ž3¤3ª3°3»3Á3Ì3Ò3Ý3ã3î3ô3ÿ3444 4&42474=4Q4\4h4m4t4€4†4Š44¢4¼4Û4ô45-5v5Â5Ç5ù56>6I6[6d6m6s6‚6¡6¨6´6¹6Ú6÷6ü67777>7S7Y7e7m7w7}7„7Š7«7°7µ7»7Á7Ë7Ð7ç7ý7&8;8W8d8p8‡8â8ï8"9R9Ê9P:^:Œ: :­:¾:ú:8;F;];|;;­;<<< <)</<4<e<<™< <¥<ª<¯<µ<¹<À<Ë<ù<ÿ<Ž=”=›=¡=·=Á=ã=û=>>>>.>4>]>d>r>‡>>ì>0?Ž?•?и$00Ñ0ê0ü0$151C1i1|1·1Ç1Ï1242D2M2T2ƒ2“2œ2£2 3E3O3]3ƒ3ª3÷34=4]4q4}4Â4Ø4ú45O5t5„55”587?7]7r7†7¡7Ë7ü78&8@88Š8¶8Á8ê8919?9“9¥9É9<:~: ;Š;±;á;[<ˆ<ž<­<Ò<â<=k=s={=†=’==²=º=Ê=àp 2J233+3?3¼4´5W6n6ƒ66š67+70787?7„7™7±7¼7Í7é7ù78W8p8{8å89J9n9u9Ò9ä9%:H:{:¥:Ó:ö:9;;œ;<¸<ã=">@>^>ðü@0F0³0À0Í0=1F1T1o1™1­1»1Â1É122+20272D2M2V2l2~2„2’2›2¥2¯2¶2‰3¢3Î3ç34:4X4`4{4•4É4á4 5F5]5d5÷5666<6C6g6u6|6ƒ6À6Ï677,7?7^7h77¿7Æ7Þ7 8828=8 959t9•9}:ˆ:‘:¡:¨:®:·:Â:Ë:ï:ú:;;;;%;);L;R;W;k;w;;…;˜;ö;<?<U<=6=R=s=‡=“=c>o>…>Š>¢>Ó>Û>ï>þ>?8?è050A0I0U0l0”0±0¾0Õ0w1›1¨1°1Ã1â1414:4C4I4^4”44£4´4Â4Ü4ó4Í56Í6á6"7-777A7K7v7‰7”7ª7Ò7ä7ë788i8y88Æ8Ë8Ø899M9@:l:«:Ê:Õ:ä:î:ý:;;g;l;z;‰;+<2<k<p<}<Ñ<Ø</=`==º=í=>>%>/>9>‡>¢>¬>»>Á>Ð>ë>õ>? ??4?>?M?S?b?}?‡?’?˜?¤?¿?É?Ô?Ú?ä?X0 000(060;0@0E0J0®0Ë0è01&1:1T1[1k1r1œ1b2n2u2{2„2‰2œ2¡2¦2«2²2¹2½2Ã2á2ë2ö23 3 À 4$4´4¸4¼4À4Ä4È4Ì4Ð4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü4555 55555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü5666 66660¤;¨;¬;Ä;È;Ì;@866`6d6h6l6p6¤6¨6ä6è6ü6777|7€7„7ˆ7Œ77”7˜7` 00 00000 0$0(0x5
base_address: 0x0041b000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: 2¶î²2'êÆ/ÝzDæœÃ8sàJQŽŸ$³’µâŠŠç¥»wža´g[ý+J§T*«hx'‚Ók ù6ù /Q®Ò?"ç’*ÈÏÁšsÓøŒ¡C¼Ga-¿¼!lZ&#éœ53„ÜPË2³KÿkçútšF#V;g–l)%(OŠ0{'U’b
base_address: 0x0041c000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2584
process_handle: 0x000003e8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ö2iK·\:K·\:K·\:ˆ¸:J·\:BÏØ:J·\:BÏÏ:W·\:K·]:•·\:ˆ¸:H·\:BÏß:I·\:lq1:J·\:lq2:H·\:N»S:J·\:ÚÞU;"·\:ÚÞ£:J·\:ÚÞ^;J·\:RichK·\:PELÇPˆ\à –8W @Ð@…\I€p,°d àG @.text `.rdataò: <@@.data@`D@À.rsrcp,€.J@@.relocd °x@B.bssÀ†@@
base_address: 0x00400000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0
Process injection Process 1208 called NtSetContextThread to modify thread in remote process 2584
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003c8
process_identifier: 2584
1 0 0
Process injection Process 1208 resumed a thread in remote process 2584
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 2584
1 0 0
dead_host 94.156.68.226:3787
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1208
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1208
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1208
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 1208
1 0 0

NtResumeThread

 thread_handle: 0x000002d4
suspend_count: 1
process_identifier: 1208
1 0 0

CreateProcessInternalW

 thread_identifier: 2440
thread_handle: 0x000003c8
process_identifier: 2436
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\IDXJRvJUpAIjP.exe"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003cc
1 1 0

CreateProcessInternalW

 thread_identifier: 2488
thread_handle: 0x000003b0
process_identifier: 2484
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\test22\AppData\Local\Temp\tmpF586.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d4
1 1 0

CreateProcessInternalW

 thread_identifier: 2588
thread_handle: 0x000003c8
process_identifier: 2584
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\xnnwljxxbbawjwlmac.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\xnnwljxxbbawjwlmac.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000003e8
1 1 0

NtGetContextThread

 thread_handle: 0x000003c8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2584
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003e8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ö2iK·\:K·\:K·\:ˆ¸:J·\:BÏØ:J·\:BÏÏ:W·\:K·]:•·\:ˆ¸:H·\:BÏß:I·\:lq1:J·\:lq2:H·\:N»S:J·\:ÚÞU;"·\:ÚÞ£:J·\:ÚÞ^;J·\:RichK·\:PELÇPˆ\à –8W @Ð@…\I€p,°d àG @.text `.rdataò: <@@.data@`D@À.rsrcp,€.J@@.relocd °x@B.bssÀ†@@
base_address: 0x00400000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00412000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: m@@ž@­@¼@Ë@Ú@ü@ @ @™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(H»ï¾­Þï¾­ÞH¸ï¾­Þï¾­Þÿã¸ï¾­Þéï¾­ÞU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃÄ;Ad
base_address: 0x00416000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00418000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: „Š00 0µ0¼0É0Ð0o1u1|1ƒ1Š1•1¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;‡;˜;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<¥>Ç>Ï> dê0Ð1_4j4Ÿ4µ4À4Ü4é4ù4%5,5£5É5Ü5û5m6Ú6ý677u7ð78•8¯8Ñ8õ8û8?9€9Ë9 ;P;Ã;È;Õ;ã;õ;[>’>½>?0?~?Ï?0À000N0U0-1A1V1u111°1â1$2›2ï2I3t3¶3Í3è34‹5Î5 6!616|6Œ6–66¦6¾6ö67'7A7K7W7^7j7q7}7„77—7Ü7î7 88]8k8|8Ô8æ8í8ù899!91989D9K9W9^9ã9þ9S:Z:a:j:è:ï:ý:;J;Q;X;a;²;Ø;/<A<N<÷<G=Ý=>¿>å>½?ê?@x«0Ø0´1ú1+3X3ˆ3Ž3Ô3Û3Ï45e5Ï5K6]6¼6ë6737<7¯8á9:S;p;‘;²;Ì;é;<s<™<¶<Ó<ð< =.=K=«=²=Ø=ß=ù=>3>P>m>×>í>??<?R?ú?P€/080X0§01&1t1ã2ú2 303<3f3—3½4Î4í6ô6û6777"7'737A77š7Ÿ7¬7Á7È7Ö7Ü7æ7%8+828<8L8S8o8ˆ89989?9I9P9Z9a9®9µ9Á9Ç9Ì9Ó9á9æ9ò9`«>?¥?plˆ0Ú0·1¿1Ý1†3Œ3°3Ä3Ö3Û3á3é3ö34&454A4R4k4q4{4‚4Š44œ4¦45+505:5D5N5X5b5l5v5€5Š5˜5Ÿ5Ã5á5è5>6H6R6t6~6ˆ6±6»6Å6Ï6Ù6ö67 77d7n7x7‚7«7°7µ7È7Í7Ò7Ù7æ7ë7ð7$8)8.888=8B8O8T8Y8f8k8p8}8‚8‡8¸8Å8Ê8Ï8Ü8á8æ8ó8ø899!9%9)9-9195999=9A9E9_9‘9¤9¼9Õ9î9û9::8:Z:_:{:::œ:¦:±:Ê:Õ:Ú:é:õ: ;;;†;£;Ù;ö;<3<[<m<¾<Ø<ð<ú<%=E=J=e=k=q=‰=‘=—=¢=®=´=¿=Ù=ä=é=õ=û=>>>$><>M>W>`>ƒ>²>ô>…?Ÿ?€@$0:0½0ä0÷01 1%1+131;1F1K1o1„1‰1²1 2,2G2w2~2„2§2À2Æ2Ð2å2ï2 33=3H3u33ˆ3”3 3ª3°3¶3Æ3Î3Ô3Ú3å3í3ô3ú34 4444)4?4J4V4[4b4l4r4{44†4Ž4™4ª4¯4µ4Å4Ö4Û4á4æ4ì4ö4ü45555!5'5.5;5@5L5Q5^5c5¾5%62696F6v6}6K8Í8Ø8ì8ö8ÿ8 929:9@9K9i9“9¡9Ç9ð9,:P:¡:¦:«:²:;";2;B;R;b;r;‚;’;¢;²;Â;1<D<T<a<q<~<Ž<›<²<Õ<==.=;=O==0>5>|>À>?H?Œ?ù?tf0Ó0p1¦1Ö1Ý1ø1>2g2¢2»2È2ÿ2—3¯3Ø3ò3Y4©4é4 5_6Ý6ä647w7‘7ž7¯7Ó7ì7ù7;8Ó8ë89.9•9å9%:b:­;+<2<<½< =I=•=Ç=ú=â>? È0f0m0u0Š0œ0²0È0ó0=1À1É1Î1ç12222K2d2}2œ2·2ú23L3´3Ä3×3ê3ý34#464I4e4¹4?5í5ù5 66)696I6Y6d6w6‚6˜6´6Ð6ì67X8ó8ø89*9C9\9u9Ž9§9À9á9ú9;:V:‘:;);<;O;b;u;ˆ;›;®;Ê;< <.<G<[<d<m<:=Ê=ß=> >1>C>­?È?°ø1 111-12171A1U1Z1_1m1u1|1‚1‘1›1 1§1¸1À1Ç1Î1Õ1Ü1ã1D2±2Õ2$3|3Š3›3Å34/454:4E4J4U4Z4d4z4ª4¾4÷455/595F5M5S5X5¡5Â5é5ò566-6;6U6^6s6€66—6©6²6À6Ý6ç67 77&7G7R7e7’7Ÿ7¬7¹7Æ7Ó78—8ì8š9¬9Â9;1;I;°;É;<)<3<A<ú<=E==Ž=>>:>K>>•>£>É>Ö>r?˜?¥?ñ?ÀD60T0ô0É1Ú142ƒ2ç2'3Q3]3e3o3u3ž3¤3ª3°3»3Á3Ì3Ò3Ý3ã3î3ô3ÿ3444 4&42474=4Q4\4h4m4t4€4†4Š44¢4¼4Û4ô45-5v5Â5Ç5ù56>6I6[6d6m6s6‚6¡6¨6´6¹6Ú6÷6ü67777>7S7Y7e7m7w7}7„7Š7«7°7µ7»7Á7Ë7Ð7ç7ý7&8;8W8d8p8‡8â8ï8"9R9Ê9P:^:Œ: :­:¾:ú:8;F;];|;;­;<<< <)</<4<e<<™< <¥<ª<¯<µ<¹<À<Ë<ù<ÿ<Ž=”=›=¡=·=Á=ã=û=>>>>.>4>]>d>r>‡>>ì>0?Ž?•?и$00Ñ0ê0ü0$151C1i1|1·1Ç1Ï1242D2M2T2ƒ2“2œ2£2 3E3O3]3ƒ3ª3÷34=4]4q4}4Â4Ø4ú45O5t5„55”587?7]7r7†7¡7Ë7ü78&8@88Š8¶8Á8ê8919?9“9¥9É9<:~: ;Š;±;á;[<ˆ<ž<­<Ò<â<=k=s={=†=’==²=º=Ê=àp 2J233+3?3¼4´5W6n6ƒ66š67+70787?7„7™7±7¼7Í7é7ù78W8p8{8å89J9n9u9Ò9ä9%:H:{:¥:Ó:ö:9;;œ;<¸<ã=">@>^>ðü@0F0³0À0Í0=1F1T1o1™1­1»1Â1É122+20272D2M2V2l2~2„2’2›2¥2¯2¶2‰3¢3Î3ç34:4X4`4{4•4É4á4 5F5]5d5÷5666<6C6g6u6|6ƒ6À6Ï677,7?7^7h77¿7Æ7Þ7 8828=8 959t9•9}:ˆ:‘:¡:¨:®:·:Â:Ë:ï:ú:;;;;%;);L;R;W;k;w;;…;˜;ö;<?<U<=6=R=s=‡=“=c>o>…>Š>¢>Ó>Û>ï>þ>?8?è050A0I0U0l0”0±0¾0Õ0w1›1¨1°1Ã1â1414:4C4I4^4”44£4´4Â4Ü4ó4Í56Í6á6"7-777A7K7v7‰7”7ª7Ò7ä7ë788i8y88Æ8Ë8Ø899M9@:l:«:Ê:Õ:ä:î:ý:;;g;l;z;‰;+<2<k<p<}<Ñ<Ø</=`==º=í=>>%>/>9>‡>¢>¬>»>Á>Ð>ë>õ>? ??4?>?M?S?b?}?‡?’?˜?¤?¿?É?Ô?Ú?ä?X0 000(060;0@0E0J0®0Ë0è01&1:1T1[1k1r1œ1b2n2u2{2„2‰2œ2¡2¦2«2²2¹2½2Ã2á2ë2ö23 3 À 4$4´4¸4¼4À4Ä4È4Ì4Ð4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü4555 55555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü5666 66660¤;¨;¬;Ä;È;Ì;@866`6d6h6l6p6¤6¨6ä6è6ü6777|7€7„7ˆ7Œ77”7˜7` 00 00000 0$0(0x5
base_address: 0x0041b000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: 2¶î²2'êÆ/ÝzDæœÃ8sàJQŽŸ$³’µâŠŠç¥»wža´g[ý+J§T*«hx'‚Ók ù6ù /Q®Ò?"ç’*ÈÏÁšsÓøŒ¡C¼Ga-¿¼!lZ&#éœ53„ÜPË2³KÿkçútšF#V;g–l)%(OŠ0{'U’b
base_address: 0x0041c000
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2584
process_handle: 0x000003e8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000003c8
process_identifier: 2584
1 0 0

NtResumeThread

 thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 2584
1 0 0

NtResumeThread

 thread_handle: 0x000003fc
suspend_count: 1
process_identifier: 1208
1 0 0

NtResumeThread

 thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 2436
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2436
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2436
1 0 0

NtResumeThread

 thread_handle: 0x000004a8
suspend_count: 1
process_identifier: 2436
1 0 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Stealer.12!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.cc
Cylance unsafe
Sangfor Infostealer.Msil.Kryptik.Vnyv
VirIT Trojan.Win32.MSIL_Heur.A
Symantec Scr.Malcode!gdn34
ESET-NOD32 a variant of MSIL/GenKryptik.GHYZ
APEX Malicious
McAfee Artemis!0C74BC9529B8
Avast Win32:PWSX-gen [Trj]
Kaspersky UDS:Trojan-PSW.MSIL.Stealer.gen
Alibaba Trojan:MSIL/SnakeKeylogger.62481560
Rising Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:g2x/pY/zUv+JW2PbL+/5Cg)
F-Secure Heuristic.HEUR/AGEN.1365408
DrWeb Trojan.PackedNET.2678
TrendMicro TROJ_GEN.R002C0DBC24
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.0c74bc9529b8d9f9
Sophos Mal/Generic-S
Avira HEUR/AGEN.1365408
Kingsoft Win32.PSWTroj.Undef.a
Gridinsoft Trojan.Win32.Kryptik.sa
Microsoft Trojan:MSIL/SnakeKeylogger.SPFF!MTB
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
Varist W32/MSIL_Kryptik.KOT.gen!Eldorado
DeepInstinct MALICIOUS
VBA32 TrojanLoader.MSIL.DaVinci.Heur
Malwarebytes Malware.AI.1941022905
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002C0DBC24
Tencent Win32.Trojan.Agen.Psmw
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.AJOF!tr
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)